Re: Deny local socket/port binding on server.

From: Tim Haynes (usenet@stirfried.vegetable.org.uk)
Date: 01/18/03

• Next message: Tim Haynes: "Re: weird scans from port 80"
• Previous message: Silviu Minut: "weird scans from port 80"
• In reply to: QuestionGuy: "Re: Deny local socket/port binding on server."
• Next in thread: Michael Erskine: "Re: Deny local socket/port binding on server."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Tim Haynes <usenet@stirfried.vegetable.org.uk>
Date: Sat, 18 Jan 2003 09:25:46 +0000

QuestionGuy <screw@spam.bots> writes:

> Tim Haynes wrote:
>>
>> You're looking for the GRSecurity patches. Specifically, the options for
>> restricting certain groups from establishing client and/or server sockets:
>>
>> | zsh/scr, 10:38PM / # grep sock /etc/group
>> | socknone:x:999
>> | socknocli:x:998:gateway
>> | socknosrv:x:997:apache
>> |
>> | CONFIG_GRKERNSEC_SOCKET_ALL_GID=998
>> | CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=997
>> | CONFIG_GRKERNSEC_SOCKET_SERVER_GID=996
>
> Thanks Tim. That's what I'm looking for. I installed this patch already,
> but I likely didn't choose the correct options.

Aye, groovy. S'not hard; you just want to do the obvious things with
/etc/group, making the numbers add up, and remember to enable e things in
sysctl as well. (You may want to do a custom config of the grsec menu.)

[snip]
> I have policies stating they can't run such services, but that's not
> going to stop someone from doing that, now is it?! This prevents people
> from being able to do a variety of things. I.e., the only way to stop a
> DoS attack, is to make the server at the other end that is the source, to
> not be able to be a source.
>
> I can surely terminate an account that violates the TOS, but if they've
> opened up a service to listen on a port to allow people a means to
> perhaps circumvent something or to do something annoying or abusive,
> it's sort of already too late.

Well quite!

I see it as a matter of balancing what you can restrict in software with
what can be done in wetware. Go for it, with my blessing and such tiny bit
of help as need be! :)

> I just like having a means to limit things. It's only one small step and
> certainly doesn't make the system secure in itself, but it's one more
> thing that makes my job as an administrator easier and it makes the
> system better protected.

Check: rate-limited outgoing udp and icmp? :)

~Tim

-- 
It's enough that I can see the morning      |piglet@stirfried.vegetable.org.uk
In miracles much more than I can say        |http://spodzone.org.uk/
It's enough to keep me still believing      |
In drifting hearts so far away              |

---

• Next message: Tim Haynes: "Re: weird scans from port 80"
• Previous message: Silviu Minut: "weird scans from port 80"
• In reply to: QuestionGuy: "Re: Deny local socket/port binding on server."
• Next in thread: Michael Erskine: "Re: Deny local socket/port binding on server."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)