Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)

From: Vladimir Ivanov (VIvanov@tee.toshiba.de)
Date: 11/05/01


Message-ID: <3BE6C47C.B1ADD2E1@tee.toshiba.de>
Date: Mon, 05 Nov 2001 17:55:24 +0100
From: Vladimir Ivanov <VIvanov@tee.toshiba.de>
To: focus-sun@securityfocus.com
Subject: Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)

Fabrice Bacchella wrote:
>
> > * Compile and install the tcpwrappers package. Set up policies in hosts.allow
> > for in.telnetd, in.ftpd, in.rshd, and sshd. Pay especially close attention to the
> > private cluster networks for in.rshd access. Make sure hosts.deny is set
> > up to deny everything else by default.
>
> I always had a bad feeling about tcpwrappers, it can only protect a few
> daemons, those running with inetd and those willing to do so. That's
> little user against a hackers, how will just try something else. Try
> something like ipf instead, you can protect every service running on
> your machine.
>
> And there is no interest in running at the same time telnet, ftp, rsh
> and ssh. Are you sure someone in your organisation will not one day use
> telnet instead of ssh, just because he doesn't have ssh on his computer.
> Just cut all those and dtlogin too. Ssh should be the only remote access
> on your computer if you want it to be useful.

ssh could be compiled with libwrap, then, you will be able to use tcp
wrappers
configuration files for it.

Also, AFAIR 2 or 3 months ago there were a discussion here about
possibility to
add libwrap-like behavior into own Solaris utilites (like rpcbind,
dtlogin etc.),
wich are not started from inetd.

I think last mail was from Casper Dik (sorry, if i write the name
wrong), that he will
investigate such possiblity and need in it.

-- 
Vladimir Ivanov                      
System Administrator                 E-Mail:  VIvanov@tee.toshiba.de
Toshiba Electronics Europe GmbH      Tel/Fax: +49-211-5296-297/386