Re: Any security issues with root's cron job?

From: Brian Reichert (reichert@numachi.com)
Date: 07/05/02 

Date: Fri, 5 Jul 2002 16:19:34 -0400
From: Brian Reichert <reichert@numachi.com>
To: Kim Okasawa <kimokasawa@hotmail.com>

On Sat, Jul 06, 2002 at 05:07:06AM +0900, Kim Okasawa wrote:
> >From: Stephanie Wehner <_@r4k.net>
> >To: Kim Okasawa <kimokasawa@hotmail.com>
> >Subject: Re: Any security issues with root's cron job?
> >Date: Wed, 3 Jul 2002 16:48:37 +0200
> >
> >Hi Kim,
> >
> > > Can anyone think of any potential security risks to such practice? >
> >Any suggestions and comments are greatly appreciated. Thank you!
> >
> >Not from the cronjob directly, however why would you want to change
> >your ipfw rule set according to time ?
> >
> >What I would check in this case is how your machine keeps time,
> >eg it must be rather accurate. Also, by getting timing information
> >from a remote ntp server for example would then mean you place your
> >firewall rules pretty much into their hands.
> >
>
> Hi Stephenie:
>
> Good thinking. You are absolutely right! The time should be rather
> accurate in order for this to function correctly. How about letting the
> server to run its ntp service? Clients who want to access to the server
> would have to sync with it if necessary. But this means that the firewall
> needs to open the ntp port and may create other problems.

You don't _need_ a NTP server on your vault if you have access to
one that you trust. I feel that most institutions should set up a
peered set of stratum-3 servers, out of hand, and sync internal
hosts to those; this cuts down on network traffic, if nothing else.

(You could even force them to use your time server(s) via divert.)

If your vault is to merely be an NTP client, then it will poll your
time server(s); you can firewall out spoofed replies.

If your time server is also to be a NTP server, then it will need
to be able to serve requests from your LAN.

These are both easily locked down via ipfw.

>
> What I want is to create a virtual timed vault that only allow the world to
> access to certain services within a specific period of time. In my case,
> some services/ports don't need to be available to the public from 8PM-8AM.
> Closing those ports may mean less troubles.
>
> Any suggestion on how to deal with the ntp problem? Thanks.
>
> Best Regards,
> Kim
>
>
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 

-- 
Brian 'you ***' Reichert		<reichert@numachi.com>
37 Crystal Ave. #303			Daytime number: (603) 434-6842
Derry NH 03038-1713 USA			Intel architecture: the left-hand path
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message