[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Re: Cube 2 security

Subject: Re: [cobalt-users] Re: Cube 2 security
From: "Zeffie" <cobaltlist@xxxxxxxx>
Date: Mon Dec 1 02:57:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> I've asked a couple of (I thought :) sensible questions about Qube 2
> matters recently with nothing back yet- I'll try again.  You guys perhaps
> don't realize how little is left on the web in a useable form for these
> things, perhaps.  Searching the archives for example, it's a tossup as to
> whether SCSI support is built into the kernal- some places say yes, some
> places say no, no mention of a specific version kernal or update that
added
> the feature.  Things like that.

when you posted that I broke out some old parts and tested away to re-create
what I had done in the past...  it would appear I rebuilt the kernel for the
card... it does support some scsi cards by default but none I have...

Rebuilding the kernel kinda sucks and I don't think we even have the last
SRPMS for it or many of the other services.  I did look at rebuilding it but
it looks as though it will take a long time and that testing will be
difficult... and limited to just the equipment I have here...  But then if I
do that I would need to build all the other services too.. ..  ummm.. ok I
have built about everything already.. but.... there are still many many
holes that just make it very difficult to try to keep updated...  Thats why
I use a firewall I can adjust via the gui to control access to the box and
Snort, which allows me to do various things to the traffic depending on a
set of rules..

> So, I've read/know a bit about hardening your services to make your setup
> more secure, similar to Token's _Read World Linux Security_ and other
> sources that have received good reviews.  But those are geared for RH 7
and
> up, often. A different era both in Linux and for the net from the Qube 2.
> I just can't get a good picture of where the Qube 2 fits- securable or
> not??  The services I mention below- can I get them implemented securely
or
> should I just give up now and put on NetBSD 1.6.1?  I'd kind of like to
> keep the Cobalt implementation for fun, if it will work properly.

With snort it's better...  but for the most part it should be off the net.
The netBSD is cute.. (been there done that) but it's very plain and not
completly developed by the looks of things... also it's slow and the
building env is more education based...

> With comments like the above about the Qube 2 services, just how much
> SHOULD I trust the old RH 6 implementation it has?  There's the MIPS pkgs
> to update te sendmail, Apache, and a couple other services out there, but
> not much else.  And those aren't very recent.

you shouldn't trust it...   it's more like a growing 5.2 btw

> What happens if I use common sense and change permissions/harden up the RH
> 6 and then run the Cobalt GUI? Will it revert much of the changes I made,
> or the GUI break pretty fast?  And setting up PHP seems completely
> incompatible with the GUI?  PHP is pretty insecure anyway...

I have built php for the mips over and over and over on raq1, raq2 and it
works fine.
in fact I have already built the current php for the raq2...

> Recall if you will from my other posts, this Qube 2 is a replacement for
my
> current home-based classic MacOS ftpd, SMTP/POP3, and it would be nice to
> web-publish some databases from it as well.  IMAP would be nice.  My
> current setup is pretty secure, I would like that to continue.   Primary
> use is as ftpd for moving files betwen the university and home.

ok..  ftp has so many holes  it should be renamed anonftp :D

> I searched the archives extensively before I posted the first time, I'm
> pretty comfortable with setting a newer Linux box in such a manner that
> people should be kept out, but I have been unable to decide what
> should/should not be workable with the RH 6 on the Qube 2.

> After I get back from the holiday I'll have a SCSI card waiting for me to
> install in the Qube 2, and I'll setup my /pub ftp files on an external
> drive, and start trying to get things set up; but it would be very nice to
> get some feedback on whether it's possible to harden  this older setup
> properly.  Since summary information about these guys is apparantly
> vanishing, I'd really be happy to put together a list of things that
> can/might/should not be done with them.  I would like to avoid finding out
> about problems the hard way.

> Thanks for any replies from those who used these things "way back when" in
> 1999-2000 ;)
> Brian

I would suggest you setup snort, and a firewall to control access if you
must put it on the net...

I don't mean to come across wrong here.. I love the little things and I
bought one in 1999 for $1,401and i still have it running...  :)  I have
built over 200 rpms for it... I think they are great for educational use off
the internet...  but thats it...

http://www.archive.org/download/DuckandC1951/DuckandC1951.mpg

Zeffie
Cobalt RaQ System Administration, Maintenance and Repairs.
http://www.zeffie.com/how_to_contact_zeffie.html 734.454.9117
http://www.zeffie.com/ Home of the Worlds Largest Collection of RaQ rpms
Advanced Cobalt Security, Firewall, Snort, AntiSpam, AntiVirus and other
GUI's

References:
- [cobalt-users] Re: Cube 2 security
  - From: Brian

Prev by Date: RE: [cobalt-users] Cobalt database + SSL problem
Next by Date: RE: [cobalt-users] What process creates/deletes the daily gz of maillog etc? [RAQ4]
Previous by thread: [cobalt-users] Re: Cube 2 security
Next by thread: Re: [cobalt-users] Re: Cube 2 security

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index