Re: securing a network with nfs

From: Derek D. Martin (ddm@mclinux.com)
Date: 08/13/01


Date: Mon, 13 Aug 2001 14:27:48 -0400
From: "Derek D. Martin" <ddm@mclinux.com>
To: Sven Kamphuis <sven@cb3rob.net>
Subject: Re: securing a network with nfs
Message-ID: <20010813142747.D21831@mclinux.com>

Sven Kamphuis said:

> the newer RFC's say this timeout is 5 seconds...
> (for SMTP mail that is)
> older RFCs indeed say its 30 seconds.

That may well be true, but many vendors still ship Sendmail 8.9.3 or
earlier, which wait 30 seconds by default. I'm not sure whether or
not more recent versions do. It *CAN* be changed with a config option
in sendmail. However, other services do this too, and they may or may
not be able to change their timeout with config options...

> however i see no reason to deny ident requests, as ident is a rather
> simple protocol and its pretty easy to write a deamon which is secure.

I can help you here: identd tells a remote server about the client
who has made a connection. This is regarded by many as an invasion of
privacy, and can also be a form of information-gathering attack.

> (for a dedicated mailserver it would be no problem to just return fake
> answers and ignore all input anyway)

That's not a bad idea... have links to an identd server that can be
configured to always return bogus info?

-- 
Derek Martin
Senior System Administrator
Mission Critical Linux
martin@MissionCriticalLinux.com



Relevant Pages