Re: Security tutorials considered inadequate
From: Menno Duursma (pan_at_desktop.lan)
Date: Thu, 06 Jan 2005 13:40:41 GMT
On Wed, 05 Jan 2005 14:21:09 +0000, Tim Haynes wrote:
> firstname.lastname@example.org (Charles Packer) writes:
Probably. However some people might need to run this (allowing access from
some (IRC, FTP, mail, shell) servers to it.) Rather then disable, however
run it under its own account, then:
And either setup packet-filter rules:
Patch it with libwrap (tcp_wrapper) support:
Or run it out of "xinetd" or something ...
> Isn't that the one related to sendmail?
> Might have to look at what it does
> first before walloping it on the head.
It's the command channel for the "named" DNS service from the BIND package.
Most likely, people _do_ want this running (as cache) on one of their LAN
boxen. As it speeds-up most querys, and saves some trafic from/to thier
ISP machines, ie:
If this is just one machine the "listen-on" directive should ofcource only
read: 127.0.0.1 ...
And in any case, you'll want it started under its own account like:
if ! grep $NEW_UG /etc/group ; then
gpasswd -R $NEW_UG
if ! grep $NEW_UG /etc/passwd ; then
useradd -d /var/$NEW_UG -g $NEW_UG -s /bin/false $NEW_UG
passwd -l $NEW_UG
Make sure that user can write a .pid file for itself, like:
chown -R named:named /var/named
And have it started under that account - at boot. Which would be editing
some script in either /etc/init.d , /sbin/init.d , /etc/rc.d - or some
such - to include "-u named" as the starting option.
[ Snip, informative stuff. ]