Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)
From: Trevor Fiatal (trevor@fiatal.net)Date: 11/05/01
- Previous message: Trevor Fiatal: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Maybe in reply to: Trevor Fiatal: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Next in thread: Alex Noordergraaf: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Reply: Alex Noordergraaf: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3BE5E612.77A0BE70@fiatal.net> Date: Sun, 04 Nov 2001 17:06:26 -0800 From: Trevor Fiatal <trevor@fiatal.net> To: Fabrice Bacchella <fabrice.bacchella@synaptique.com> Subject: Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)
Fabrice Bacchella wrote:
>
> > * Compile and install the tcpwrappers package. Set up policies in hosts.allow
> > for in.telnetd, in.ftpd, in.rshd, and sshd. Pay especially close attention to the
> > private cluster networks for in.rshd access. Make sure hosts.deny is set
> > up to deny everything else by default.
>
> I always had a bad feeling about tcpwrappers, it can only protect a few
> daemons, those running with inetd and those willing to do so. That's
> little user against a hackers, how will just try something else. Try
> something like ipf instead, you can protect every service running on
> your machine.
>
> And there is no interest in running at the same time telnet, ftp, rsh
> and ssh. Are you sure someone in your organisation will not one day use
> telnet instead of ssh, just because he doesn't have ssh on his computer.
> Just cut all those and dtlogin too. Ssh should be the only remote access
> on your computer if you want it to be useful.
Under most circumstances, I would agree with you.
However, this thread concerns securing SunCluster 2.2 and 3.0
systems. What you've just proposed will break SunCluster and most
likely cause SunService to declare the broken cluster unsupportable
until you reverse the changes. You *really* don't want a SunCluster
system running in production without SunService support.
-Trevor
-- Trevor Fiatal -- trevor@seven.com -- http://www.seven.com/ Co-Founder, CSO SEVEN 510.967.4556 (work/mobile) 510.401.8054 (vmail/fax)
- Previous message: Trevor Fiatal: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Maybe in reply to: Trevor Fiatal: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Next in thread: Alex Noordergraaf: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Reply: Alex Noordergraaf: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
