I used to run Bind for my DNS at home, and since I moved I've just been
using granitecanyon.com for my domains instead.  If you run bind, you have
to be vigilant in watching security advisories for it, and I'm sure there's
some unpublished exploits floating around for it too.  

If you must run a nameserver, and you want a secure alternative, try Dan
Berstein's djbdns at http://cr.yp.to.  However, it's a pain to set up, and
if you want to modify any code, it's not commented at all.  You'll spend 90%
of your time trying to figure out what he's trying to do.  Dan's a very
ingenious programmer, he just neglects to document anything.  There's still
a $1000 reward for finding "any" security holes with it.

Bind 9 is supposed to be much more secure than Bind 8, but I haven't tried
it yet.  I'd be wary of something that 99.9% of organizations have not
adopted yet.  It's only been out for a few weeks too.  To crackers, finding
an exploit in it isn't worth it yet since no one is using it.

Jay



-----Original Message-----
From: Jay W. Anderson [mailto:jwanderson at uswest.net]
Sent: Saturday, October 21, 2000 10:11 AM
To: tclug-list at mn-linux.org
Subject: Re: [TCLUG:22990] Services needed


On 21 Oct 00, at 9:59, Dave Sherohman wrote:

> 
> Probably wise...  (Take a look at exim, too.)
> 
OK

> > DNS (caching or otherwise)?
> 
> If you've got your own domain, you'll probably want to run your own
primary
> DNS for it and get Real-Time (or one of the free DNS services) to do
> secondary for you.  Just read the DNS-HOWTO; it's not difficult to set up.
> 

> > possibly www & ftp (not anonymous) at some point (apache & one of the
> > 	ftpd's  )
> 
> Yeah, you're probably going to want an httpd, and apache's the tool of
choice
> there.
> 
My thoughts as well

> If you don't want to offer anon ftp and you're running ssh[1], take a look
at
> sftp.  It's basically just the ftp protocol run over an ssh connection.
Very
> nice, friendlier than scp, and with all the security of ssh.  And it's not
> yet-another-daemon-running-as-root.
> 
I'll look into this

> [1]  You've probably heard it from Amy already, but, just in case, here it
is
> from me:  DON'T run a telnetd unless absolutely necessary.  Run sshd
instead.

I did know that.  But thanks for the reminder.

Anything eles that I need to think about?

Thanks, 

Jay

---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
For additional commands, e-mail: tclug-list-help at mn-linux.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
For additional commands, e-mail: tclug-list-help at mn-linux.org