LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
From: Geoffrey D. Bennett <g@netcraft.com.au>
To : Stephen Baxter <steve@senet.com.au>
Date: Mon, 7 Jul 1997 22:23:27 +0930 (CST)
Re: Security
> > For rlogin, rsh, telnet, talk, the best way is to edit /etc/inetd.conf
> > and put a hash mark ("#") at the start of the appropriate line, then
> > restart inetd ("ps aux | grep inetd" and
> > "kill -1 whatever-inetd's-pid-is"). This leaves those servers
> > installed, but they can't be used.
>
> This is a coarse form of access control, you can also look at the man page
> for tcpd and hosts_access (5) - format of host access control files.
> This allows per host/service control for these services which is nice and
> safe depebding on who you trust ! Compiling with source route disabled
> should also stop most spoofing attacks on the host.
Yup. So depending on your needs:
fine control: vi /etc/hosts.{allow,deny}
medium control: vi /etc/inetd.conf
coarse control: rm /usr/sbin/inetd :)
> Some of the services in the inetd.conf are also open to buffer overflow
> attack if you want to get serious about security, we had a customer using
> a RH3 install (I think it was 3) that had the imapd uncommented in
> inetd.conf and paid the price quite dearly.
:(. This is why anyone who cares about their networked Red Hat system
should be subscribed to redhat-announce and stay current with the
relevant errata.
Do you know of any services which are supplied by Red Hat 4.2+updates
that are open to attack? The hole in the imap server was fixed
3-Mar-97.
> > Nope. That is the beauty of PAM (Pluggable Authentication Module).
> > Anything compiled to use it (like Red Hat's telnet, ftp, samba, etc
> > servers) will use whatever authentication scheme you have installed.
>
> What type of support does RH have for PAM, can you radius calls ?
The software shipped with Red Hat Linux fully supports PAM AFAIK; it's
just a matter of having the appropriate PAM modules. There is at
least a radius accounting module. See /usr/doc/pam-*/html/pam-6.html.
The first few sections of rfc86.0.txt ("Unified Login with Pluggable
Authentication Modules (PAM)") (also in /usr/doc/pam-*/) looks to be
an interesting read for anyone interested in PAM.
Regards,
--
Geoffrey D. Bennett (geoffrey@netcraft.com.au)
Computer Systems Manager, NetCraft Australia
http://www.netcraft.com.au/geoffrey/
Red Hat Linux Resellers: http://www.netcraft.com.au/redhat/
Index:
[thread]
[date]
[subject]
[author]
Return to the LinuxSA Mailing List Information Page