Re: Security tutorials considered inadequate
From: Menno Duursma (pan_at_desktop.lan)
Date: 01/06/05
- Next message: Charles Packer: "Re: Security tutorials considered inadequate"
- Previous message: Menno Duursma: "Re: Security tutorials considered inadequate"
- In reply to: Tim Haynes: "Re: Security tutorials considered inadequate"
- Next in thread: Menno Duursma: "Re: Security tutorials considered inadequate"
- Reply: Menno Duursma: "Re: Security tutorials considered inadequate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 06 Jan 2005 13:40:41 GMT
On Wed, 05 Jan 2005 14:21:09 +0000, Tim Haynes wrote:
> mailbox@cpacker.org (Charles Packer) writes:
>
> [snip]
>> auth,
>
> inetd
Probably. However some people might need to run this (allowing access from
some (IRC, FTP, mail, shell) servers to it.) Rather then disable, however
run it under its own account, then:
http://groups.google.nl/groups?selm=pan.2004.10.25.16.30.30.717241%40desktop.lan
And either setup packet-filter rules:
http://groups.google.nl/groups?selm=pan.2004.11.22.20.41.31.895109%40desktop.lan
Patch it with libwrap (tcp_wrapper) support:
http://groups.google.nl/groups?selm=QYvCd.67070%24Lv.8697%40amsnews02.chello.com
Or run it out of "xinetd" or something ...
>> 953,
>
> Isn't that the one related to sendmail?
Nope.
> Might have to look at what it does
> first before walloping it on the head.
It's the command channel for the "named" DNS service from the BIND package.
Most likely, people _do_ want this running (as cache) on one of their LAN
boxen. As it speeds-up most querys, and saves some trafic from/to thier
ISP machines, ie:
http://groups.google.nl/groups?selm=pan.2006.12.07.17.24.14.706281%40desktop.lan
If this is just one machine the "listen-on" directive should ofcource only
read: 127.0.0.1 ...
And in any case, you'll want it started under its own account like:
#!/bin/sh
NEW_UG=named
if ! grep $NEW_UG /etc/group ; then
groupadd $NEW_UG
gpasswd -R $NEW_UG
grpconv
fi
if ! grep $NEW_UG /etc/passwd ; then
useradd -d /var/$NEW_UG -g $NEW_UG -s /bin/false $NEW_UG
passwd -l $NEW_UG
pwconv
fi
Make sure that user can write a .pid file for itself, like:
chown -R named:named /var/named
And have it started under that account - at boot. Which would be editing
some script in either /etc/init.d , /sbin/init.d , /etc/rc.d - or some
such - to include "-u named" as the starting option.
[ Snip, informative stuff. ]
-- -Menno.
- Next message: Charles Packer: "Re: Security tutorials considered inadequate"
- Previous message: Menno Duursma: "Re: Security tutorials considered inadequate"
- In reply to: Tim Haynes: "Re: Security tutorials considered inadequate"
- Next in thread: Menno Duursma: "Re: Security tutorials considered inadequate"
- Reply: Menno Duursma: "Re: Security tutorials considered inadequate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
