[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] ipchains logic/philosophy question

Subject: RE: [cobalt-users] ipchains logic/philosophy question
From: "Paulick, Jim" <jpaulick@xxxxxxx>
Date: Wed Oct 16 08:26:00 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

it would be a useful wrapper to deny access the services that are running  such as dns, v-servers, smtp, pop....

instead of doing it from the application, you can do it from the ipchains level

-jim


-----Original Message-----
From: Paul Warner [mailto:pwarner@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, October 15, 2002 8:40 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] ipchains logic/philosophy question


> On Tue, 2002-10-15 at 17:13, Paul Warner wrote:
> > I have reviewed the docs on ipchains and am ready to implement it on a
> > server, but am still confused as to its real purpose.  Were the host
acting
> > as a router and using the chains to allow/forward/deny access to
internal
> > resources as well as public ones, I would be OK with it...if a
standalone
> > leased server is acting as a public device hosting DNS, v-servers, SMTP,
POP
> > and other service are not started (verified with a port-scan), what
purpose
> > does ipchains serve in DENYing access to the telnet and ftp ports, other
> > than to log the intrusion when someone hits that port?  The server does
not
> > have these daemons running, so there's no question that it won't respond
to
> > them.
> >
> > Obviously I'm missing something here...
> >
> > -- P
> >
> When a service is not running the server does respond. It rejects the
> request. That can help a potential attacker map your network. A DENY
> just drops the packet, which means that the attacker doesn't get a
> response, as if your machine wasn't there at all.
> As for DENYing access to telnet and ftp ports (SSH and other login
> services should be lumped in there as well) it should be used as a
> limiter to narrow down the amount of people that can use them.
>
> If you know that there are only 2 people besides yourself that are going
> to use SSH, it's good practice to limit the access to the 3 ip addresses
> you are coming from. No reason to let the rest of the world in as well.
>
>
>
> Shannon Johnston
>
>

Thanks...I knew there must be a reason many run this package when most Raqs
are at the 'end of the street' and not used as a router...  I concur on the
limits to IPs that need access to SSH and similar, but if I'm running _any_
publicly available service, the world 'knows' that there is a box there, so
I'm still unclear on the net-mapping claim.

-- P


_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

Prev by Date: Re: [cobalt-users] RaQ4-All-Security-2.0.1-14936 (was: no subject)
Next by Date: Re: [cobalt-users] RaQ4-All-Security-2.0.1-14936 (was: no subject)
Previous by thread: RE: [cobalt-users] ipchains logic/philosophy question
Next by thread: [cobalt-users] Re: ipchains logic/philosophy question (Shannon Johnston)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index