* need a volunteer @ brian Moore ` Frank J. Carmickle 0 siblings, 1 reply; 21+ messages in thread From: brian Moore @ UTC (permalink / raw) To: speakup Greetings all. okay finally got my linux box up and all my services running the way I want. my mail server is finally doing what I want. I think i have all my ipchains rules setup right and pluged all the security holes I know of. the one I'm not clear on is my port 25 security. if this machine ever becomes a spam host, I will have to shoot myself so I want to make real sure that no one except those in my local network can use it. probably asking for trouble but got all my logging on verbose to see what happens. can someone try and use my smtp server and see if you can. if you notice anything else, let me know as well. would really apreciate it. host is bmoore.yi.org thanks. brian. ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer need a volunteer brian Moore @ ` Frank J. Carmickle ` Kerry Hoath ` Victor Tsaran 0 siblings, 2 replies; 21+ messages in thread From: Frank J. Carmickle @ UTC (permalink / raw) To: brian Moore; +Cc: speakup Ok Brian. How secure do you want this machine that lives on the wonderfully unsecure network of athome? I would imagine that you want something that's a little tighter then what you have right now. When I portscan you I see 21 23 24 80 110 and 113. Looks everything else is closed up. My recommendation to you is to get ssh on your box and forget about telnet and ftp for starters. Why you have pop3 waiting for connections is something else I would think you would want shut down. If you really need http keep it. However if you have another machine that you can specifically set up as a firewall you will be a lot happier to know that all of the trafic to your http server can be logged. Same goes for everything else. One thing that you really also want to have happening is some ipchains rules setup so that your machine doesn't respond to portscans or ping requests. This should fool most people looking around to find someone valnerable. I'll post a ipchain rule set that has a lot of this done for you already. Then Kerry can go over it with a fine tooth comb and tell me what's wrong with it. HTH FC On Fri, 27 Oct 2000, brian Moore wrote: > Greetings all. okay finally got my linux box up and all my services > running the way I want. my mail server is finally doing what I want. I > think i have all my ipchains rules setup right and pluged all the security > holes I know of. the one I'm not clear on is my port 25 security. if this > machine ever becomes a spam host, I will have to shoot myself so I want to > make real sure that no one except those in my local network can use it. > probably asking for trouble but got all my logging on verbose to see what > happens. can someone try and use my smtp server and see if you can. if > you notice anything else, let me know as well. > > would really apreciate it. > > host is bmoore.yi.org > thanks. brian. > > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup > ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Frank J. Carmickle @ ` Kerry Hoath ` Brent Harding ` Victor Tsaran 1 sibling, 1 reply; 21+ messages in thread From: Kerry Hoath @ UTC (permalink / raw) To: speakup Be aware that when a port is open it has to respond correctly in the 3-way handshake so that machines can connect to it. Regarding pop if you must have pop3 service; use apop or md5 style authentication. I'd think it better to block incoming pop on the cable interface and use imap with cram-md5 authentication but that isn't trivial to configure. Regards, Kerry. On Sat, Oct 28, 2000 at 02:23:35AM -0400, Frank J. Carmickle wrote: > Ok Brian. > How secure do you want this machine that lives on the wonderfully unsecure > network of athome? I would imagine that you want something that's a > little tighter then what you have right now. When I portscan you I see 21 > 23 24 80 110 and 113. Looks everything else is closed up. My > recommendation to you is to get ssh on your box and forget about telnet > and ftp for starters. Why you have pop3 waiting for connections is > something else I would think you would want shut down. If you really need > http keep it. However if you have another machine that you can > specifically set up as a firewall you will be a lot happier to know that > all of the trafic to your http server can be logged. Same goes for > everything else. > > One thing that you really also want to have happening is some ipchains > rules setup so that your machine doesn't respond to portscans or ping > requests. This should fool most people looking around to find someone > valnerable. I'll post a ipchain rule set that has a lot of this done for > you already. Then Kerry can go over it with a fine tooth comb and tell me > what's wrong with it. > > HTH > FC > > > On Fri, 27 Oct 2000, brian Moore wrote: > > > Greetings all. okay finally got my linux box up and all my services > > running the way I want. my mail server is finally doing what I want. I > > think i have all my ipchains rules setup right and pluged all the security > > holes I know of. the one I'm not clear on is my port 25 security. if this > > machine ever becomes a spam host, I will have to shoot myself so I want to > > make real sure that no one except those in my local network can use it. > > probably asking for trouble but got all my logging on verbose to see what > > happens. can someone try and use my smtp server and see if you can. if > > you notice anything else, let me know as well. > > > > would really apreciate it. > > > > host is bmoore.yi.org > > thanks. brian. > > > > > > > > _______________________________________________ > > Speakup mailing list > > Speakup@braille.uwo.ca > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup -- -- Kerry Hoath: kerry@gotss.eu.org Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au ICQ UIN: 62823451 ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Kerry Hoath @ ` Brent Harding ` Kerry Hoath ` Geoff Shang 0 siblings, 2 replies; 21+ messages in thread From: Brent Harding @ UTC (permalink / raw) To: speakup Regarding security on cable, is it really an issue that if things aren't set up right that people down the street from you have easier access to your machine because all those machines down the street are one big network? I'm not sure if roadrunner works the same as athome, but I've heard of this online. My friend who uses roadrunner claims to have had his clock fiddled around with in windows, discovering the error when he tried to reboot and it gave the message of other users connected on the system, and network neighborhood brought him to a dos box. In windows, ports 135, 138, and 139 are probably always open, but you can't do much too usefull with them. At 05:43 PM 10/28/00 +1100, you wrote: >Be aware that when a port is open it has to respond correctly in the >3-way handshake so that machines can connect to it. Regarding pop if you must >have pop3 service; use apop or md5 style authentication. >I'd think it better to block incoming pop on the cable interface >and use imap with cram-md5 authentication but that isn't trivial to configure. > >Regards, Kerry. >On Sat, Oct 28, 2000 at 02:23:35AM -0400, Frank J. Carmickle wrote: >> Ok Brian. >> How secure do you want this machine that lives on the wonderfully unsecure >> network of athome? I would imagine that you want something that's a >> little tighter then what you have right now. When I portscan you I see 21 >> 23 24 80 110 and 113. Looks everything else is closed up. My >> recommendation to you is to get ssh on your box and forget about telnet >> and ftp for starters. Why you have pop3 waiting for connections is >> something else I would think you would want shut down. If you really need >> http keep it. However if you have another machine that you can >> specifically set up as a firewall you will be a lot happier to know that >> all of the trafic to your http server can be logged. Same goes for >> everything else. >> >> One thing that you really also want to have happening is some ipchains >> rules setup so that your machine doesn't respond to portscans or ping >> requests. This should fool most people looking around to find someone >> valnerable. I'll post a ipchain rule set that has a lot of this done for >> you already. Then Kerry can go over it with a fine tooth comb and tell me >> what's wrong with it. >> >> HTH >> FC >> >> >> On Fri, 27 Oct 2000, brian Moore wrote: >> >> > Greetings all. okay finally got my linux box up and all my services >> > running the way I want. my mail server is finally doing what I want. I >> > think i have all my ipchains rules setup right and pluged all the security >> > holes I know of. the one I'm not clear on is my port 25 security. if this >> > machine ever becomes a spam host, I will have to shoot myself so I want to >> > make real sure that no one except those in my local network can use it. >> > probably asking for trouble but got all my logging on verbose to see what >> > happens. can someone try and use my smtp server and see if you can. if >> > you notice anything else, let me know as well. >> > >> > would really apreciate it. >> > >> > host is bmoore.yi.org >> > thanks. brian. >> > >> > >> > >> > _______________________________________________ >> > Speakup mailing list >> > Speakup@braille.uwo.ca >> > http://speech.braille.uwo.ca/mailman/listinfo/speakup >> > >> >> >> _______________________________________________ >> Speakup mailing list >> Speakup@braille.uwo.ca >> http://speech.braille.uwo.ca/mailman/listinfo/speakup > >-- >-- >Kerry Hoath: kerry@gotss.eu.org >Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au >ICQ UIN: 62823451 > > >_______________________________________________ >Speakup mailing list >Speakup@braille.uwo.ca >http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Brent Harding @ ` Kerry Hoath ` Geoff Shang 1 sibling, 0 replies; 21+ messages in thread From: Kerry Hoath @ UTC (permalink / raw) To: speakup Not much; just bluescreen crash or rebbot an unpatched win95 or win98 box On Sat, Oct 28, 2000 at 02:21:35PM -0500, Brent Harding wrote: > Regarding security on cable, is it really an issue that if things aren't > set up right that people down the street from you have easier access to > your machine because all those machines down the street are one big > network? I'm not sure if roadrunner works the same as athome, but I've > heard of this online. My friend who uses roadrunner claims to have had his > clock fiddled around with in windows, discovering the error when he tried > to reboot and it gave the message of other users connected on the system, > and network neighborhood brought him to a dos box. > In windows, ports 135, 138, and 139 are probably always open, but you can't > do much too usefull with them. > At 05:43 PM 10/28/00 +1100, you wrote: > >Be aware that when a port is open it has to respond correctly in the > >3-way handshake so that machines can connect to it. Regarding pop if you must > >have pop3 service; use apop or md5 style authentication. > >I'd think it better to block incoming pop on the cable interface > >and use imap with cram-md5 authentication but that isn't trivial to > configure. > > > >Regards, Kerry. > >On Sat, Oct 28, 2000 at 02:23:35AM -0400, Frank J. Carmickle wrote: > >> Ok Brian. > >> How secure do you want this machine that lives on the wonderfully unsecure > >> network of athome? I would imagine that you want something that's a > >> little tighter then what you have right now. When I portscan you I see 21 > >> 23 24 80 110 and 113. Looks everything else is closed up. My > >> recommendation to you is to get ssh on your box and forget about telnet > >> and ftp for starters. Why you have pop3 waiting for connections is > >> something else I would think you would want shut down. If you really need > >> http keep it. However if you have another machine that you can > >> specifically set up as a firewall you will be a lot happier to know that > >> all of the trafic to your http server can be logged. Same goes for > >> everything else. > >> > >> One thing that you really also want to have happening is some ipchains > >> rules setup so that your machine doesn't respond to portscans or ping > >> requests. This should fool most people looking around to find someone > >> valnerable. I'll post a ipchain rule set that has a lot of this done for > >> you already. Then Kerry can go over it with a fine tooth comb and tell me > >> what's wrong with it. > >> > >> HTH > >> FC > >> > >> > >> On Fri, 27 Oct 2000, brian Moore wrote: > >> > >> > Greetings all. okay finally got my linux box up and all my services > >> > running the way I want. my mail server is finally doing what I want. I > >> > think i have all my ipchains rules setup right and pluged all the > security > >> > holes I know of. the one I'm not clear on is my port 25 security. if > this > >> > machine ever becomes a spam host, I will have to shoot myself so I > want to > >> > make real sure that no one except those in my local network can use it. > >> > probably asking for trouble but got all my logging on verbose to see what > >> > happens. can someone try and use my smtp server and see if you can. if > >> > you notice anything else, let me know as well. > >> > > >> > would really apreciate it. > >> > > >> > host is bmoore.yi.org > >> > thanks. brian. > >> > > >> > > >> > > >> > _______________________________________________ > >> > Speakup mailing list > >> > Speakup@braille.uwo.ca > >> > http://speech.braille.uwo.ca/mailman/listinfo/speakup > >> > > >> > >> > >> _______________________________________________ > >> Speakup mailing list > >> Speakup@braille.uwo.ca > >> http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > >-- > >-- > >Kerry Hoath: kerry@gotss.eu.org > >Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au > >ICQ UIN: 62823451 > > > > > >_______________________________________________ > >Speakup mailing list > >Speakup@braille.uwo.ca > >http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > > > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup -- -- Kerry Hoath: kerry@gotss.eu.org Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au ICQ UIN: 62823451 ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Brent Harding ` Kerry Hoath @ ` Geoff Shang ` Kerry Hoath ` Brent Harding 1 sibling, 2 replies; 21+ messages in thread From: Geoff Shang @ UTC (permalink / raw) To: speakup On Sat, 28 Oct 2000, Brent Harding wrote: > In windows, ports 135, 138, and 139 are probably always open, but you can't > do much too usefull with them. hmmm. I only have 139 open on our windows box. This port is labeled netbios-ssn which is used for sharing windows drives and probably printers. If you have this port open on a cable network and someone manages to hack their way into your drive shares, no file is safe. Geoff. -- Geoff Shang <gshang10@scu.edu.au> ICQ number 43634701 ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Geoff Shang @ ` Kerry Hoath ` Brent Harding 1 sibling, 0 replies; 21+ messages in thread From: Kerry Hoath @ UTC (permalink / raw) To: speakup Port 139 tcp is used for smb connections; port 137 udp is used or name resoltuion and 138 is used for netbios datagram services. Best to block 137-139 tcp and udp for maximum safety or don't even run smb on the external interfaces I run to networks here one on 192.168.1.x for windows and my externally visible network. Regards, Kerry. On Sun, Oct 29, 2000 at 01:00:38PM +1100, Geoff Shang wrote: > On Sat, 28 Oct 2000, Brent Harding wrote: > > > In windows, ports 135, 138, and 139 are probably always open, but you can't > > do much too usefull with them. > > hmmm. I only have 139 open on our windows box. This port is labeled > netbios-ssn which is used for sharing windows drives and probably printers. > If you have this port open on a cable network and someone manages to hack > their way into your drive shares, no file is safe. > > Geoff. > > > > -- > Geoff Shang <gshang10@scu.edu.au> > ICQ number 43634701 > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup -- -- Kerry Hoath: kerry@gotss.eu.org Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au ICQ UIN: 62823451 ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Geoff Shang ` Kerry Hoath @ ` Brent Harding ` Geoff Shang ` Victor Tsaran 1 sibling, 2 replies; 21+ messages in thread From: Brent Harding @ UTC (permalink / raw) To: speakup Wow, portscanning his system showed that port as filtered tcp, and 135 as open, 138 was filtered too. At least it appears that a connection isn't allowed to the outside on that port, maybe 135 is for aol instant messenger or something. At 01:00 PM 10/29/00 +1100, you wrote: >On Sat, 28 Oct 2000, Brent Harding wrote: > >> In windows, ports 135, 138, and 139 are probably always open, but you can't >> do much too usefull with them. > >hmmm. I only have 139 open on our windows box. This port is labeled >netbios-ssn which is used for sharing windows drives and probably printers. >If you have this port open on a cable network and someone manages to hack >their way into your drive shares, no file is safe. > >Geoff. > > > >-- >Geoff Shang <gshang10@scu.edu.au> >ICQ number 43634701 > > >_______________________________________________ >Speakup mailing list >Speakup@braille.uwo.ca >http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Brent Harding @ ` Geoff Shang ` Kirk Wood ` Kirk Wood ` Victor Tsaran 1 sibling, 2 replies; 21+ messages in thread From: Geoff Shang @ UTC (permalink / raw) To: speakup Hi: Programs like AIM and other such user-space programs generally use ports greater than 1024. I would expect that 135 is something less exotic. But that raises a good point. Anyone know where one can find a definitive port list? More definitive than /etc/services, that is? Geoff. -- Geoff Shang <gshang10@scu.edu.au> ICQ number 43634701 ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Geoff Shang @ ` Kirk Wood ` Kirk Wood 1 sibling, 0 replies; 21+ messages in thread From: Kirk Wood @ UTC (permalink / raw) To: speakup Sorry to take so long to find this but here are places to get a pretty definitave list of ports and their assignments: http://www.isi.edu/in-notes/iana/assignments/port-numbers http://info.internet.isi.edu/in-notes/rfc/files/rfc1700.txt The second files actually accounts for every port below 100 (mentioning which are unassigned). It is some good light reading to do while commuting. (Right and good luck reading it all.) Kirk Wood ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Geoff Shang ` Kirk Wood @ ` Kirk Wood 1 sibling, 0 replies; 21+ messages in thread From: Kirk Wood @ UTC (permalink / raw) To: speakup Sorry to take so long to find this but here are places to get a pretty definitave list of ports and their assignments: http://www.isi.edu/in-notes/iana/assignments/port-numbers http://info.internet.isi.edu/in-notes/rfc/files/rfc1700.txt The second files actually accounts for every port below 100 (mentioning which are unassigned). It is some good light reading to do while commuting. (Right and good luck reading it all.) Kirk Wood ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Brent Harding ` Geoff Shang @ ` Victor Tsaran 1 sibling, 0 replies; 21+ messages in thread From: Victor Tsaran @ UTC (permalink / raw) To: speakup Well, that's another thing. If you run Yahoo Messenger, Net Meeting, Napster, some additional ports might be open. Best, Vic ******* ******* ******* have you thought of visiting Cybertsar's Internet Kingdom? It is still alive! Here is the URL: http://go.to/vtsaran or http://kickme.to/vtsaran ******* ******* ******* ----- Original Message ----- From: "Brent Harding" <bharding@ufw2.com> To: <speakup@braille.uwo.ca> Sent: Sunday, October 29, 2000 9:44 AM Subject: Re: need a volunteer > Wow, portscanning his system showed that port as filtered tcp, and 135 as > open, 138 was filtered too. At least it appears that a connection isn't > allowed to the outside on that port, maybe 135 is for aol instant messenger > or something. > At 01:00 PM 10/29/00 +1100, you wrote: > >On Sat, 28 Oct 2000, Brent Harding wrote: > > > >> In windows, ports 135, 138, and 139 are probably always open, but you can't > >> do much too usefull with them. > > > >hmmm. I only have 139 open on our windows box. This port is labeled > >netbios-ssn which is used for sharing windows drives and probably printers. > >If you have this port open on a cable network and someone manages to hack > >their way into your drive shares, no file is safe. > > > >Geoff. > > > > > > > >-- > >Geoff Shang <gshang10@scu.edu.au> > >ICQ number 43634701 > > > > > >_______________________________________________ > >Speakup mailing list > >Speakup@braille.uwo.ca > >http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > > > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Frank J. Carmickle ` Kerry Hoath @ ` Victor Tsaran ` Brent Harding 1 sibling, 1 reply; 21+ messages in thread From: Victor Tsaran @ UTC (permalink / raw) To: speakup Hey, FC! Can you please attach this file with chain rules for me as well? WOuld be much grateful. Why did you say to shutdown the 110 and 113 ports. They are used for serving POP3 client. Don't you need to get your Email once in a while? I would definitely agree with 23 and 21 to be exchanged for SSH service which also provides sftp. Vic ******* ******* ******* have you thought of visiting Cybertsar's Internet Kingdom? It is still alive! Here is the URL: http://go.to/vtsaran or http://kickme.to/vtsaran ******* ******* ******* ----- Original Message ----- From: "Frank J. Carmickle" <frankiec@braille.uwo.ca> To: "brian Moore" <admin@bmoore.yi.org> Cc: <speakup@braille.uwo.ca> Sent: Friday, October 27, 2000 11:23 PM Subject: Re: need a volunteer > Ok Brian. > How secure do you want this machine that lives on the wonderfully unsecure > network of athome? I would imagine that you want something that's a > little tighter then what you have right now. When I portscan you I see 21 > 23 24 80 110 and 113. Looks everything else is closed up. My > recommendation to you is to get ssh on your box and forget about telnet > and ftp for starters. Why you have pop3 waiting for connections is > something else I would think you would want shut down. If you really need > http keep it. However if you have another machine that you can > specifically set up as a firewall you will be a lot happier to know that > all of the trafic to your http server can be logged. Same goes for > everything else. > > One thing that you really also want to have happening is some ipchains > rules setup so that your machine doesn't respond to portscans or ping > requests. This should fool most people looking around to find someone > valnerable. I'll post a ipchain rule set that has a lot of this done for > you already. Then Kerry can go over it with a fine tooth comb and tell me > what's wrong with it. > > HTH > FC > > > On Fri, 27 Oct 2000, brian Moore wrote: > > > Greetings all. okay finally got my linux box up and all my services > > running the way I want. my mail server is finally doing what I want. I > > think i have all my ipchains rules setup right and pluged all the security > > holes I know of. the one I'm not clear on is my port 25 security. if this > > machine ever becomes a spam host, I will have to shoot myself so I want to > > make real sure that no one except those in my local network can use it. > > probably asking for trouble but got all my logging on verbose to see what > > happens. can someone try and use my smtp server and see if you can. if > > you notice anything else, let me know as well. > > > > would really apreciate it. > > > > host is bmoore.yi.org > > thanks. brian. > > > > > > > > _______________________________________________ > > Speakup mailing list > > Speakup@braille.uwo.ca > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Victor Tsaran @ ` Brent Harding ` Victor Tsaran 0 siblings, 1 reply; 21+ messages in thread From: Brent Harding @ UTC (permalink / raw) To: speakup Does sftp work similar to regular ftp? I've heard another bad service to leave running is tftp, as I've heard it's unauthenticated anyways. I'd probably leave pop open, ftp only if I really needed a place to put files for anonymous ftp, download only of course. Can most programs people use handle the nonstandard authentication that would make pop safer, like apop or md5? In email clients I've used, I've never found settings for md5, but I think eudora has apop. At 03:52 AM 10/28/00 -0700, you wrote: >Hey, FC! >Can you please attach this file with chain rules for me as well? >WOuld be much grateful. > >Why did you say to shutdown the 110 and 113 ports. They are used for serving >POP3 client. Don't you need to get your Email once in a while? I would >definitely agree with 23 and 21 to be exchanged for SSH service which also >provides sftp. > >Vic > >******* ******* ******* >have you thought of visiting Cybertsar's Internet Kingdom? It is still >alive! >Here is the URL: >http://go.to/vtsaran >or >http://kickme.to/vtsaran > >******* ******* ******* >----- Original Message ----- >From: "Frank J. Carmickle" <frankiec@braille.uwo.ca> >To: "brian Moore" <admin@bmoore.yi.org> >Cc: <speakup@braille.uwo.ca> >Sent: Friday, October 27, 2000 11:23 PM >Subject: Re: need a volunteer > > >> Ok Brian. >> How secure do you want this machine that lives on the wonderfully unsecure >> network of athome? I would imagine that you want something that's a >> little tighter then what you have right now. When I portscan you I see 21 >> 23 24 80 110 and 113. Looks everything else is closed up. My >> recommendation to you is to get ssh on your box and forget about telnet >> and ftp for starters. Why you have pop3 waiting for connections is >> something else I would think you would want shut down. If you really need >> http keep it. However if you have another machine that you can >> specifically set up as a firewall you will be a lot happier to know that >> all of the trafic to your http server can be logged. Same goes for >> everything else. >> >> One thing that you really also want to have happening is some ipchains >> rules setup so that your machine doesn't respond to portscans or ping >> requests. This should fool most people looking around to find someone >> valnerable. I'll post a ipchain rule set that has a lot of this done for >> you already. Then Kerry can go over it with a fine tooth comb and tell me >> what's wrong with it. >> >> HTH >> FC >> >> >> On Fri, 27 Oct 2000, brian Moore wrote: >> >> > Greetings all. okay finally got my linux box up and all my services >> > running the way I want. my mail server is finally doing what I want. I >> > think i have all my ipchains rules setup right and pluged all the >security >> > holes I know of. the one I'm not clear on is my port 25 security. if >this >> > machine ever becomes a spam host, I will have to shoot myself so I want >to >> > make real sure that no one except those in my local network can use it. >> > probably asking for trouble but got all my logging on verbose to see >what >> > happens. can someone try and use my smtp server and see if you can. if >> > you notice anything else, let me know as well. >> > >> > would really apreciate it. >> > >> > host is bmoore.yi.org >> > thanks. brian. >> > >> > >> > >> > _______________________________________________ >> > Speakup mailing list >> > Speakup@braille.uwo.ca >> > http://speech.braille.uwo.ca/mailman/listinfo/speakup >> > >> >> >> _______________________________________________ >> Speakup mailing list >> Speakup@braille.uwo.ca >> http://speech.braille.uwo.ca/mailman/listinfo/speakup > > >_______________________________________________ >Speakup mailing list >Speakup@braille.uwo.ca >http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Brent Harding @ ` Victor Tsaran ` Brent Harding 0 siblings, 1 reply; 21+ messages in thread From: Victor Tsaran @ UTC (permalink / raw) To: speakup Well, I personally don't like the way some Emailers implemented IMAP access. One of such Emailers is Outlook Express. Pine has done it well, but not all ISP's use IMAP, in which case it would be hard to rely on IMAP only. Yes, SFTP works the same way as SSh. However, again, there is the same issue: not all ISP's use SSH and therefore you might be bound to using Telnet. ******* ******* ******* have you thought of visiting Cybertsar's Internet Kingdom? It is still alive! Here is the URL: http://go.to/vtsaran or http://kickme.to/vtsaran ******* ******* ******* ----- Original Message ----- From: "Brent Harding" <bharding@ufw2.com> To: <speakup@braille.uwo.ca> Sent: Saturday, October 28, 2000 12:26 PM Subject: Re: need a volunteer > Does sftp work similar to regular ftp? I've heard another bad service to > leave running is tftp, as I've heard it's unauthenticated anyways. I'd > probably leave pop open, ftp only if I really needed a place to put files > for anonymous ftp, download only of course. Can most programs people use > handle the nonstandard authentication that would make pop safer, like apop > or md5? > In email clients I've used, I've never found settings for md5, but I think > eudora has apop. > At 03:52 AM 10/28/00 -0700, you wrote: > >Hey, FC! > >Can you please attach this file with chain rules for me as well? > >WOuld be much grateful. > > > >Why did you say to shutdown the 110 and 113 ports. They are used for serving > >POP3 client. Don't you need to get your Email once in a while? I would > >definitely agree with 23 and 21 to be exchanged for SSH service which also > >provides sftp. > > > >Vic > > > >******* ******* ******* > >have you thought of visiting Cybertsar's Internet Kingdom? It is still > >alive! > >Here is the URL: > >http://go.to/vtsaran > >or > >http://kickme.to/vtsaran > > > >******* ******* ******* > >----- Original Message ----- > >From: "Frank J. Carmickle" <frankiec@braille.uwo.ca> > >To: "brian Moore" <admin@bmoore.yi.org> > >Cc: <speakup@braille.uwo.ca> > >Sent: Friday, October 27, 2000 11:23 PM > >Subject: Re: need a volunteer > > > > > >> Ok Brian. > >> How secure do you want this machine that lives on the wonderfully unsecure > >> network of athome? I would imagine that you want something that's a > >> little tighter then what you have right now. When I portscan you I see 21 > >> 23 24 80 110 and 113. Looks everything else is closed up. My > >> recommendation to you is to get ssh on your box and forget about telnet > >> and ftp for starters. Why you have pop3 waiting for connections is > >> something else I would think you would want shut down. If you really need > >> http keep it. However if you have another machine that you can > >> specifically set up as a firewall you will be a lot happier to know that > >> all of the trafic to your http server can be logged. Same goes for > >> everything else. > >> > >> One thing that you really also want to have happening is some ipchains > >> rules setup so that your machine doesn't respond to portscans or ping > >> requests. This should fool most people looking around to find someone > >> valnerable. I'll post a ipchain rule set that has a lot of this done for > >> you already. Then Kerry can go over it with a fine tooth comb and tell me > >> what's wrong with it. > >> > >> HTH > >> FC > >> > >> > >> On Fri, 27 Oct 2000, brian Moore wrote: > >> > >> > Greetings all. okay finally got my linux box up and all my services > >> > running the way I want. my mail server is finally doing what I want. I > >> > think i have all my ipchains rules setup right and pluged all the > >security > >> > holes I know of. the one I'm not clear on is my port 25 security. if > >this > >> > machine ever becomes a spam host, I will have to shoot myself so I want > >to > >> > make real sure that no one except those in my local network can use it. > >> > probably asking for trouble but got all my logging on verbose to see > >what > >> > happens. can someone try and use my smtp server and see if you can. if > >> > you notice anything else, let me know as well. > >> > > >> > would really apreciate it. > >> > > >> > host is bmoore.yi.org > >> > thanks. brian. > >> > > >> > > >> > > >> > _______________________________________________ > >> > Speakup mailing list > >> > Speakup@braille.uwo.ca > >> > http://speech.braille.uwo.ca/mailman/listinfo/speakup > >> > > >> > >> > >> _______________________________________________ > >> Speakup mailing list > >> Speakup@braille.uwo.ca > >> http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > >_______________________________________________ > >Speakup mailing list > >Speakup@braille.uwo.ca > >http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > > > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Victor Tsaran @ ` Brent Harding ` Victor Tsaran 0 siblings, 1 reply; 21+ messages in thread From: Brent Harding @ UTC (permalink / raw) To: speakup Is there a way, in the event if isps wanted to use ssh and sftp that windows users could access this? I know teraterm does it for ssh, but am not sure what for the sftp, or pop3 behind ssh mechanism mentioned in some howto about mail some where. The idea of that was so pop passwords were sent through ssh instead of clear text. At 09:57 PM 10/28/00 -0700, you wrote: >Well, I personally don't like the way some Emailers implemented IMAP access. >One of such Emailers is Outlook Express. Pine has done it well, but not all >ISP's use IMAP, in which case it would be hard to rely on IMAP only. >Yes, SFTP works the same way as SSh. However, again, there is the same >issue: not all ISP's use SSH and therefore you might be bound to using >Telnet. > >******* ******* ******* >have you thought of visiting Cybertsar's Internet Kingdom? It is still >alive! >Here is the URL: >http://go.to/vtsaran >or >http://kickme.to/vtsaran > >******* ******* ******* >----- Original Message ----- >From: "Brent Harding" <bharding@ufw2.com> >To: <speakup@braille.uwo.ca> >Sent: Saturday, October 28, 2000 12:26 PM >Subject: Re: need a volunteer > > >> Does sftp work similar to regular ftp? I've heard another bad service to >> leave running is tftp, as I've heard it's unauthenticated anyways. I'd >> probably leave pop open, ftp only if I really needed a place to put files >> for anonymous ftp, download only of course. Can most programs people use >> handle the nonstandard authentication that would make pop safer, like apop >> or md5? >> In email clients I've used, I've never found settings for md5, but I think >> eudora has apop. >> At 03:52 AM 10/28/00 -0700, you wrote: >> >Hey, FC! >> >Can you please attach this file with chain rules for me as well? >> >WOuld be much grateful. >> > >> >Why did you say to shutdown the 110 and 113 ports. They are used for >serving >> >POP3 client. Don't you need to get your Email once in a while? I would >> >definitely agree with 23 and 21 to be exchanged for SSH service which >also >> >provides sftp. >> > >> >Vic >> > >> >******* ******* ******* >> >have you thought of visiting Cybertsar's Internet Kingdom? It is still >> >alive! >> >Here is the URL: >> >http://go.to/vtsaran >> >or >> >http://kickme.to/vtsaran >> > >> >******* ******* ******* >> >----- Original Message ----- >> >From: "Frank J. Carmickle" <frankiec@braille.uwo.ca> >> >To: "brian Moore" <admin@bmoore.yi.org> >> >Cc: <speakup@braille.uwo.ca> >> >Sent: Friday, October 27, 2000 11:23 PM >> >Subject: Re: need a volunteer >> > >> > >> >> Ok Brian. >> >> How secure do you want this machine that lives on the wonderfully >unsecure >> >> network of athome? I would imagine that you want something that's a >> >> little tighter then what you have right now. When I portscan you I see >21 >> >> 23 24 80 110 and 113. Looks everything else is closed up. My >> >> recommendation to you is to get ssh on your box and forget about telnet >> >> and ftp for starters. Why you have pop3 waiting for connections is >> >> something else I would think you would want shut down. If you really >need >> >> http keep it. However if you have another machine that you can >> >> specifically set up as a firewall you will be a lot happier to know >that >> >> all of the trafic to your http server can be logged. Same goes for >> >> everything else. >> >> >> >> One thing that you really also want to have happening is some ipchains >> >> rules setup so that your machine doesn't respond to portscans or ping >> >> requests. This should fool most people looking around to find someone >> >> valnerable. I'll post a ipchain rule set that has a lot of this done >for >> >> you already. Then Kerry can go over it with a fine tooth comb and tell >me >> >> what's wrong with it. >> >> >> >> HTH >> >> FC >> >> >> >> >> >> On Fri, 27 Oct 2000, brian Moore wrote: >> >> >> >> > Greetings all. okay finally got my linux box up and all my services >> >> > running the way I want. my mail server is finally doing what I want. >I >> >> > think i have all my ipchains rules setup right and pluged all the >> >security >> >> > holes I know of. the one I'm not clear on is my port 25 security. >if >> >this >> >> > machine ever becomes a spam host, I will have to shoot myself so I >want >> >to >> >> > make real sure that no one except those in my local network can use >it. >> >> > probably asking for trouble but got all my logging on verbose to see >> >what >> >> > happens. can someone try and use my smtp server and see if you can. >if >> >> > you notice anything else, let me know as well. >> >> > >> >> > would really apreciate it. >> >> > >> >> > host is bmoore.yi.org >> >> > thanks. brian. >> >> > >> >> > >> >> > >> >> > _______________________________________________ >> >> > Speakup mailing list >> >> > Speakup@braille.uwo.ca >> >> > http://speech.braille.uwo.ca/mailman/listinfo/speakup >> >> > >> >> >> >> >> >> _______________________________________________ >> >> Speakup mailing list >> >> Speakup@braille.uwo.ca >> >> http://speech.braille.uwo.ca/mailman/listinfo/speakup >> > >> > >> >_______________________________________________ >> >Speakup mailing list >> >Speakup@braille.uwo.ca >> >http://speech.braille.uwo.ca/mailman/listinfo/speakup >> > >> > >> > >> >> >> _______________________________________________ >> Speakup mailing list >> Speakup@braille.uwo.ca >> http://speech.braille.uwo.ca/mailman/listinfo/speakup > > >_______________________________________________ >Speakup mailing list >Speakup@braille.uwo.ca >http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Brent Harding @ ` Victor Tsaran 0 siblings, 0 replies; 21+ messages in thread From: Victor Tsaran @ UTC (permalink / raw) To: speakup I think there is an extension for TeraTerm. See on their web site! Vic ******* ******* ******* have you thought of visiting Cybertsar's Internet Kingdom? It is still alive! Here is the URL: http://go.to/vtsaran or http://kickme.to/vtsaran ******* ******* ******* ----- Original Message ----- From: "Brent Harding" <bharding@ufw2.com> To: <speakup@braille.uwo.ca> Sent: Saturday, October 28, 2000 6:31 PM Subject: Re: need a volunteer > Is there a way, in the event if isps wanted to use ssh and sftp that > windows users could access this? I know teraterm does it for ssh, but am > not sure what for the sftp, or pop3 behind ssh mechanism mentioned in some > howto about mail some where. The idea of that was so pop passwords were > sent through ssh instead of clear text. > At 09:57 PM 10/28/00 -0700, you wrote: > >Well, I personally don't like the way some Emailers implemented IMAP access. > >One of such Emailers is Outlook Express. Pine has done it well, but not all > >ISP's use IMAP, in which case it would be hard to rely on IMAP only. > >Yes, SFTP works the same way as SSh. However, again, there is the same > >issue: not all ISP's use SSH and therefore you might be bound to using > >Telnet. > > > >******* ******* ******* > >have you thought of visiting Cybertsar's Internet Kingdom? It is still > >alive! > >Here is the URL: > >http://go.to/vtsaran > >or > >http://kickme.to/vtsaran > > > >******* ******* ******* > >----- Original Message ----- > >From: "Brent Harding" <bharding@ufw2.com> > >To: <speakup@braille.uwo.ca> > >Sent: Saturday, October 28, 2000 12:26 PM > >Subject: Re: need a volunteer > > > > > >> Does sftp work similar to regular ftp? I've heard another bad service to > >> leave running is tftp, as I've heard it's unauthenticated anyways. I'd > >> probably leave pop open, ftp only if I really needed a place to put files > >> for anonymous ftp, download only of course. Can most programs people use > >> handle the nonstandard authentication that would make pop safer, like apop > >> or md5? > >> In email clients I've used, I've never found settings for md5, but I think > >> eudora has apop. > >> At 03:52 AM 10/28/00 -0700, you wrote: > >> >Hey, FC! > >> >Can you please attach this file with chain rules for me as well? > >> >WOuld be much grateful. > >> > > >> >Why did you say to shutdown the 110 and 113 ports. They are used for > >serving > >> >POP3 client. Don't you need to get your Email once in a while? I would > >> >definitely agree with 23 and 21 to be exchanged for SSH service which > >also > >> >provides sftp. > >> > > >> >Vic > >> > > >> >******* ******* ******* > >> >have you thought of visiting Cybertsar's Internet Kingdom? It is still > >> >alive! > >> >Here is the URL: > >> >http://go.to/vtsaran > >> >or > >> >http://kickme.to/vtsaran > >> > > >> >******* ******* ******* > >> >----- Original Message ----- > >> >From: "Frank J. Carmickle" <frankiec@braille.uwo.ca> > >> >To: "brian Moore" <admin@bmoore.yi.org> > >> >Cc: <speakup@braille.uwo.ca> > >> >Sent: Friday, October 27, 2000 11:23 PM > >> >Subject: Re: need a volunteer > >> > > >> > > >> >> Ok Brian. > >> >> How secure do you want this machine that lives on the wonderfully > >unsecure > >> >> network of athome? I would imagine that you want something that's a > >> >> little tighter then what you have right now. When I portscan you I see > >21 > >> >> 23 24 80 110 and 113. Looks everything else is closed up. My > >> >> recommendation to you is to get ssh on your box and forget about telnet > >> >> and ftp for starters. Why you have pop3 waiting for connections is > >> >> something else I would think you would want shut down. If you really > >need > >> >> http keep it. However if you have another machine that you can > >> >> specifically set up as a firewall you will be a lot happier to know > >that > >> >> all of the trafic to your http server can be logged. Same goes for > >> >> everything else. > >> >> > >> >> One thing that you really also want to have happening is some ipchains > >> >> rules setup so that your machine doesn't respond to portscans or ping > >> >> requests. This should fool most people looking around to find someone > >> >> valnerable. I'll post a ipchain rule set that has a lot of this done > >for > >> >> you already. Then Kerry can go over it with a fine tooth comb and tell > >me > >> >> what's wrong with it. > >> >> > >> >> HTH > >> >> FC > >> >> > >> >> > >> >> On Fri, 27 Oct 2000, brian Moore wrote: > >> >> > >> >> > Greetings all. okay finally got my linux box up and all my services > >> >> > running the way I want. my mail server is finally doing what I want. > >I > >> >> > think i have all my ipchains rules setup right and pluged all the > >> >security > >> >> > holes I know of. the one I'm not clear on is my port 25 security. > >if > >> >this > >> >> > machine ever becomes a spam host, I will have to shoot myself so I > >want > >> >to > >> >> > make real sure that no one except those in my local network can use > >it. > >> >> > probably asking for trouble but got all my logging on verbose to see > >> >what > >> >> > happens. can someone try and use my smtp server and see if you can. > >if > >> >> > you notice anything else, let me know as well. > >> >> > > >> >> > would really apreciate it. > >> >> > > >> >> > host is bmoore.yi.org > >> >> > thanks. brian. > >> >> > > >> >> > > >> >> > > >> >> > _______________________________________________ > >> >> > Speakup mailing list > >> >> > Speakup@braille.uwo.ca > >> >> > http://speech.braille.uwo.ca/mailman/listinfo/speakup > >> >> > > >> >> > >> >> > >> >> _______________________________________________ > >> >> Speakup mailing list > >> >> Speakup@braille.uwo.ca > >> >> http://speech.braille.uwo.ca/mailman/listinfo/speakup > >> > > >> > > >> >_______________________________________________ > >> >Speakup mailing list > >> >Speakup@braille.uwo.ca > >> >http://speech.braille.uwo.ca/mailman/listinfo/speakup > >> > > >> > > >> > > >> > >> > >> _______________________________________________ > >> Speakup mailing list > >> Speakup@braille.uwo.ca > >> http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > >_______________________________________________ > >Speakup mailing list > >Speakup@braille.uwo.ca > >http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > > > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup ^ permalink raw reply [flat|nested] 21+ messages in thread
[parent not found: <200010280925420740.032C0056@mail>]
* Re: need a volunteer [not found] <200010280925420740.032C0056@mail> @ ` Frank J. Carmickle ` Kirk Wood 0 siblings, 1 reply; 21+ messages in thread From: Frank J. Carmickle @ UTC (permalink / raw) To: brian Moore; +Cc: speakup Alright everybody. Here's Shawn's ipchains script. It has lots of stuff in it that some of you may or may not want. I would suggest that you read it carefully and edit it to your liking. It currently logs and blocks certain related hosts trafic. This script was the product of being hacked pretty badly. I would also recommend that people use the tcp rapper by placing certain hosts in the host.allow and hosts.deny files. The biggest thing you can do for youself is to test your own security. Make sure that ever thing that you setup is working the way that you would expect it to. Remember any machine connected to a network has some security risks. If anyone has suggestions or changes please post them. I am sure they would help everyone. Here it is! #!/bin/sh # # IPCHAINS-FIREWALL V1.6.2m # # ----------------------------------------- Ipchains Firewall and MASQ Script - # # Original script by Ian Hall-Beyer (manuka@nerdherd.net) # # Contributors: # terminus (cpm@dotquad.com) (ICQ & DHCP, @home testing) # ---------------------------------------------------------------- Interfaces - # Local Interface # This is the interface that is your link to the world LOCALIF="eth0" # Internal Interface # This is the interface for your local network # NOTE: INTERNALNET is a *network* address. All host bits should be 0 INTERNALNET="192.168.1.0/24" INTERNALIF="eth1" # ------------------------------------------------------- Variable definition - # # Set the location of ipchains. IPCHAINS="/sbin/ipchains" # You shouldn't need to change anything in the rest of this section LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1` LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4` LOCALNET="$LOCALIP/$LOCALMASK" echo "Internal ($INTERNALIF): $INTERNALNET" echo "External ($LOCALIF): $LOCALNET" echo "-------------------------------------" REMOTENET="0/0" # -------------------------------------- Flush everything, start from scratch - echo -n "Flushing rulesets.." # Incoming packets from the outside network $IPCHAINS -F input echo -n "." # Outgoing packets from the internal network $IPCHAINS -F output echo -n "." # Forwarding/masquerading $IPCHAINS -F forward echo -n "." echo "Done!" # ---------------------------------- Allow all connections within the network - echo -n "Internal.." $IPCHAINS -A input -s $INTERNALNET -d $INTERNALNET -j ACCEPT $IPCHAINS -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT echo -n ".." echo "Done!" # -------------------------------------------------- Allow loopback interface - echo -n "Loopback.." $IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT echo -n ".." echo "Done!" # -------------------------------------------------------------- Masquerading - echo -n "Masquerading.." # don't masquerade internal-internal traffic $IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT echo -n "." # don't Masquerade external interface direct $IPCHAINS -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT echo -n "." # masquerade all internal IP's going outside $IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ echo -n "." # set Default rule on MASQ chain to Deny $IPCHAINS -P forward DENY echo -n "." # --------------------- Allow all connections from the network to the outside - $IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT $IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT echo -n ".." echo "Done!" # ----------------------------------Set telnet, www and FTP for minimum delay - # This section manipulates the Type Of Service (TOS) bits of the # packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled # in your kernel echo -n "TOS flags.." $IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10 echo -n "..." # Set ftp-data for maximum throughput $IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08 echo -n "." echo "Done!" # ---------------------------------------------------------- Trusted Networks - # Add in any rules to specifically allow connections from hosts/nets that # would otherwise be blocked. echo -n "Trusted Networks.." $IPCHAINS -A input -s 63.108.22.128/255.255.255.224 -d $LOCALNET -j ACCEPT echo -n "." # echo "Done!" # ----------------------------------------------------------- Banned Networks - # Add in any rules to specifically block connections from hosts/nets that # have been known to cause you problems. These packets are logged. # echo -n "Banned Networks.." # This one is generic # $IPCHAINS -A input -l -s [banned host/net] -d $LOCALNET <ports> -j DENY # echo -n "." # This one blocks ICMP attacks # $IPCHAINS -A input -l -b -i $LOCALIF -p icmp -s [host/net] -d $LOCALNET -j DENY # echo -n "." # echo "Done!" # ------------------------------------------------------ @home-specific rules - # This @home stuff is pretty specific to me (terminus). I get massive port # scans from my neighbors and from pokey admins at @home, so I just got harsh # and blocked all their stuff, with a few exceptions, listed below. # # If someone out there finds out the ip ranges of JUST tci@home, let me know # so i don't end up blocking ALL cablemodems like it's doing now. echo -n "Cable Modem Nets.." # so we can check mail, use the proxy server, hit @home's webpage. # you will want to set these to your local servers, and uncomment them # $IPCHAINS -A input -p tcp -s ha1.rdc1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p tcp -s mail.tcma1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p tcp -s www.tcma1.wa.home.com -d $LOCALNET 1023:65355 -j ACCEPT # $IPCHAINS -A input -p tcp -s proxy.tcma1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT # echo -n "...." # so we can resolve the above hostnames, allow dns queries back to us # $IPCHAINS -A input -p tcp -s ns1.home.net -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p tcp -s ns2.home.net -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p udp -s ns1.home.net -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p udp -s ns2.home.net -d $LOCALNET 1023:65535 -j ACCEPT # echo -n ".." # linux ipchains building script page (I think) # $IPCHAINS -A input -p tcp -s 24.128.61.117 -d $LOCALNET 1023:65535 -j ACCEPT # echo -n "." # Non-@home users may want to leave this uncommented, just to block all # the wannabe crackers. Add any @home hosts you want to allow BEFORE this line. # Blast all other @home connections into infinity and log them. # $IPCHAINS -A input -l -s 24.0.0.0/8 -d $LOCALNET -j DENY echo -n "." echo "Done!" # ---------------------------- Specific port blocks on the external interface - # This section blocks off ports/services to the outside that have # vulnerabilities. This will not affect the ability to use these services # within your network. echo -n "Port Blocks.." # NetBEUI/Samba $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 139 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 139 -j DENY echo -n "." # Microsoft SQL $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -j DENY echo -n "." # Postgres SQL $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -j DENY echo -n "." # Network File System $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -j DENY echo -n "." # X Displays :0-:2- $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY echo -n "." # X Font Server :0-:2- $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 7100 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 7100 -j DENY echo -n "." # Back Orifice (logged) $IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 31337 -j DENY $IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 31337 -j DENY echo -n "." # NetBus (logged) $IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -j DENY $IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -j DENY echo -n "." echo "Done!" # --------------------------------------------------- High Unprivileged ports - # These are opened up to allow sockets created by connections allowed by # ipchains echo -n "High Ports.." $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT echo -n "." echo "Done!" # ------------------------------------------------------------ Basic Services - echo -n "Services.." # ftp-data (20) and ftp (21) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT # echo -n ".." # ssh (22) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j ACCEPT # echo -n "." # telnet (23) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT # echo -n "." # smtp (25) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT # echo -n "." # DNS (53) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT echo -n ".." # DHCP on LAN side (to make @Home DHCP work) (67/68) $IPCHAINS -A input -i $INTERNALIF -p udp -s $REMOTENET -d 255.255.255.255/24 67 -j ACCEPT $IPCHAINS -A output -i $INTERNALIF -p udp -s $REMOTENET -d 255.255.255.255/24 68 -j ACCEPT # echo -n ".." # http (80) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT # echo -n "." # POP-3 (110) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT # echo -n "." # identd (113) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j ACCEPT # echo -n "." # imapd (143) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 143 -j ACCEPT $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 143 -j ACCEPT # echo -n "." # nntp (119) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 119 -j ACCEPT # echo -n "." # https (443) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j ACCEPT # echo -n "." # ICQ Services (it's a server service) (4000) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 4000 -j ACCEPT # echo -n "." echo "Done!" # ---------------------------------------------------------------------- ICMP - echo -n "ICMP Rules.." # Use this to deny ICMP attacks from specific addresses # $IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j DENY # echo -n "." # Allow incoming ICMP $IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT $IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT echo -n ".." # Allow outgoing ICMP $IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT $IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT $IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT $IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT echo -n "...." echo "Done!" # -------------------------------------------------------- set default policy - $IPCHAINS -A input -j DENY $IPCHAINS -A output -j ACCEPT echo "Setting up Port Forwarding" echo "DialPad" /usr/sbin/ipmasqadm autofw -A -v -u -r udp 51200 51201 -c tcp 7175 /usr/sbin/ipmasqadm autofw -A -v -u -r tcp 51210 51210 -c tcp 7175 #echo "NabSter" #/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 6698 6699 -c tcp 4444 #/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 6698 6699 -c tcp 8888 #/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 6698 6699 -c tcp 8875 #/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 6698 6699 -c tcp 5555 #/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 6698 6699 -c tcp 7777 # /usr/sbin/ipmasqadm autofw -A -v -u -r tcp 113 113 -c tcp 6667 # echo ICQ # /usr/sbin/ipmasqadm autofw -A -v -u -r udp 2000 4000 -c tcp 4000 echo Speak Freely /usr/sbin/ipmasqadm autofw -A -v -u -r udp 2074 2076 -c udp 4074 /usr/sbin/ipmasqadm autofw -A -v -u -r udp 4074 4075 -c udp 4074 /usr/sbin/ipmasqadm autofw -A -v -u -r udp 2074 2076 -c udp 4075 /usr/sbin/ipmasqadm autofw -A -v -u -r udp 4074 4075 -c udp 4075 /usr/sbin/ipmasqadm autofw -A -v -u -r udp 2074 2076 -c udp 2074 /usr/sbin/ipmasqadm autofw -A -v -u -r udp 4074 4075 -c udp 2074 /usr/sbin/ipmasqadm autofw -A -v -u -r udp 2074 2076 -c udp 2075 /usr/sbin/ipmasqadm autofw -A -v -u -r udp 4074 4075 -c udp 2075 /usr/sbin/ipmasqadm autofw -A -v -u -r udp 2074 2076 -c tcp 2076 /usr/sbin/ipmasqadm autofw -A -v -u -r udp 4074 4075 -c tcp 2076 /usr/sbin/ipmasqadm autofw -A -v -u -r tcp 2076 2076 -c udp 2074 /usr/sbin/ipmasqadm autofw -A -v -u -r tcp 2076 2076 -c udp 4074 /usr/sbin/ipmasqadm autofw -A -v -u -r tcp 2076 2076 -c udp 2075 /usr/sbin/ipmasqadm autofw -A -v -u -r tcp 2076 2076 -c tcp 2076 echo -n ".. Done" echo "" echo "Finished Establishing Firewall." ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Frank J. Carmickle @ ` Kirk Wood ` Kirk Wood 0 siblings, 1 reply; 21+ messages in thread From: Kirk Wood @ UTC (permalink / raw) To: speakup This is not a complete script, but will add security to prevent external people from accessing your mail host. ipchains -A input -p tcp -d externalip:25 -j DENY Going sown the command the -A input add a rule to the input chain. The -p tcp specifies tcp protocol and is needed to specify a port. The -d externip:25 specifies anything addressed to your externalip address port 25. (In case you didn't get it, you will substitute your external ip address here.) The -j DENY causes the packet to simply be dropped. No further action is taken. No ICMP message is genereated. It is as if the packet never came. You could opt for REJECT here in which case an ICMP packet will be sent to let the offending host know that he can't send here. Without getting into an argument about security through obsecurity I choose to be less of a target. I don't count on script kiddies not finding me. But I prefer to not advertise my presence either. ======= Kirk Wood Cpt.Kirk@1tree.net ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Kirk Wood @ ` Kirk Wood ` Kerry Hoath 0 siblings, 1 reply; 21+ messages in thread From: Kirk Wood @ UTC (permalink / raw) To: speakup By the way any port can be instantly closed with ipchains. Again the general method is: ipchains -A input -p tcp -d your_ip_address:port -j DENY This will drop the packet as if it never occured. You can change the last part to REJECT in which case an icmp message is sent back to the originating host. But if you DENY the packet a port scanner won't see your machine. Don't rely on this to say you won't be attacked. It just lowers your profile. By the way, while ATT at Home is less secure then some ISPs, the internet in general is a hostile world. If you really want to secure against it cut the connection. Next would be to find an ISP that will place you behind their firewall. ======= Kirk Wood Cpt.Kirk@1tree.net ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: need a volunteer ` Kirk Wood @ ` Kerry Hoath 0 siblings, 0 replies; 21+ messages in thread From: Kerry Hoath @ UTC (permalink / raw) To: speakup You might want to put an interface specifier on these rules; otherwise somebody upstream can spoof ips through your firewall by making internal ips show up on the external interface so di bind the rule to a particular interface. This was a big problem with MS proxy 2 that wouldn't let you specify an interface for a particular rule. On Sat, Oct 28, 2000 at 01:40:23PM -0500, Kirk Wood wrote: > By the way any port can be instantly closed with ipchains. Again the > general method is: > > ipchains -A input -p tcp -d your_ip_address:port -j DENY > > This will drop the packet as if it never occured. You can change the last > part to REJECT in which case an icmp message is sent back to the > originating host. But if you DENY the packet a port scanner won't see your > machine. Don't rely on this to say you won't be attacked. It just lowers > your profile. > > By the way, while ATT at Home is less secure then some ISPs, the internet > in general is a hostile world. If you really want to secure against it cut > the connection. Next would be to find an ISP that will place you behind > their firewall. > > ======= > Kirk Wood > Cpt.Kirk@1tree.net > > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup -- -- Kerry Hoath: kerry@gotss.eu.org Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au ICQ UIN: 62823451 ^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~ UTC | newest]
Thread overview: 21+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
need a volunteer brian Moore
` Frank J. Carmickle
` Kerry Hoath
` Brent Harding
` Kerry Hoath
` Geoff Shang
` Kerry Hoath
` Brent Harding
` Geoff Shang
` Kirk Wood
` Kirk Wood
` Victor Tsaran
` Victor Tsaran
` Brent Harding
` Victor Tsaran
` Brent Harding
` Victor Tsaran
[not found] <200010280925420740.032C0056@mail>
` Frank J. Carmickle
` Kirk Wood
` Kirk Wood
` Kerry Hoath
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).