Re: [TCLUG:5528] security

To: tclug-list@listserv.real-time.com
Subject: Re: [TCLUG:5528] security
From: Michael Hicks <hick0088@tc.umn.edu>
Date: Mon, 26 Apr 1999 14:42:17 -0500
References: <Pine.LNX.4.04.9904261401520.31292-100000@pclueyb>
Sender: Mike E Semmler <mike@maroon.tc.umn.edu>

> I ran nmap on this server from outside the intranet and it says lots of
> things are open:

Well, what I would do is have a default REJECT policy for incoming connections
to the server in the kernel's IP chains or forwarding rules.

With ipchains, you'd do something like

ipchains -P input REJECT

which changes the default policy for incoming connections to 'REJECT' -- people
connecting to your system will get 'connection refused' (hopefully)

At this point, you probably can't connect to any port on the server from a
remote host (maybe not even loopback..)  Now, to allow your local network
access, we'll issue the following command

ipchains -A input --source 192.168.1.0/255.255.255.0 -j ACCEPT

Hosts on your local network will hopefully be able to make connections, but
hosts outside that network will be rejected (as per the default policy).


There is a fair amount of documentation on ipchains and ipfwadm out there (you
just have to find it ;-), so any other strange tweaks you want to do can
probably also be made..
-- 
.------ ----- ---- ---- --- --- -- -- - -  -   -    -
|               Mike Hicks | Linux User Since: 1.2.13
: http://umn.edu/~hick0088 | mailto:hick0088@tc.umn.edu
`              icq:6883760 | Current Kernel: 2.2.5

References:
- security
  - From: Ben Luey <lueyb@carleton.edu>

Prev by Date: Re: [TCLUG:5528] security
Next by Date: Re: [TCLUG:5497] control line output volume
Prev by thread: Re: [TCLUG:5528] security
Next by thread: Re: [TCLUG:5528] security
Index(es):
- Date
- Thread