[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] Secure FTP and PortSentry

Subject: Re: [cobalt-developers] Secure FTP and PortSentry
From: "Jonathan Michaelson" <michaelsonjd@xxxxxxxxxxx>
Date: Fri Mar 7 02:50:01 2003
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

Hello John,

> Firstly, we installed PortSentry as a PKG file, but did an uninstall of
> the PKG as numerous users were reporting that they could no longer
> access the mail server for their domains. The uninstall was not clean,
> as we had to manually delete two PortSentry directories that remained
> after running the PKG uninstall. Upon a system reboot the PortSentry
> processes were gone so we assumed all was well.
>
> We are now getting constant calls telling us that users who are using
> fixed IP addresses to access the Cobalt box are still not able to
> access their email, despite the fact that the PortSentry processes do
> not seem to be running. It appears to be the SMTP service that is
> affected, POP seems ok.

Depending on how you configured PortSentry their IP addresses are probably
listed in a few possible places:
1. Check your /etc/hosts.deny file
2. Run the following command from the root account to see if their IP
addresses are listed:
route -n
Any entries with the "flags" set to !H are blocked
3. If you're using IPChains then they may have been blocked by that

To get them going again:
1. Remove them from the /etc/hosts.deny file
2. To restore the route information depends on the command that denied them
access but is usually achieved with:
route del -host xxx.xxx.xxx.xxx reject
3. I'm not familiar with IPChains enough for that one ;-)

> Secondly, we have stopped the ftp service on the Cobalt box, and are
> asking clients to use SecureFX from VanDyke Software to transfer files
> using sftp. This is working fine, except that each domain user can
> traverse the full Cobalt filesystem, and see all other user's web sites
> and associated files.
>
> Is it possible to lock down secure ftp access using SecureFX so that
> users can only access and view their own domain?

I doubt it, at least not easily. Users can do this anyway with a simple Perl
or PHP script anyway (This has been discussed at some length several times
on the list). Looking at the OpenSSH configuration options it's not clear
that there is a simple way:
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5&arch=&apr
opos=0&manpath=OpenBSD+Current

--
Regards,
Jonathan Michaelson
Commercial CGI Scripting, Web Hosting
Web-based Email, Homepage Creation and Live Help products
http://www.webumake.com

Follow-Ups:
- [cobalt-developers] Raq3i options
  - From: Sean Warburton

References:
- [cobalt-developers] Secure FTP and PortSentry
  - From: John Thewlis

Prev by Date: [cobalt-developers] Secure FTP and PortSentry
Next by Date: [cobalt-developers] Raq3i options
Previous by thread: [cobalt-developers] Secure FTP and PortSentry
Next by thread: [cobalt-developers] Raq3i options

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index