To:
linux-security@redhat.com
I am the Firewall-1 administrator where I work and it has a very nice
GUI tool for defining objects (can be hosts, networks, DNS domains,
groups of hosts, etc.) and a straightforward way of building a
rulebase.
At home I use the LRP with a mini-qmail daemon forwarding the e-mail
via qmqp to the real mailhost, and sshd for remote admin. It has
ipautofw, ipportfw and masquerading.
I really can't think of anything I can do with the Firewall-1 machine
that I can't do with this LRP machine. The whole OS used to fit on a
floppy until I added the mini-qmail and sshd packages. Now it boots
off a small HD and runs only on ramdisks. Except for the GUI and the
price, I'd say they are about equal in terms of power and protection.
I've looked into TIS but never used it. It involved running proxy
daemons on the firewall for telnet ftp and snmp. I like the LRP much
better.
(for those that don't know, LRP is the Linux Router Project. see
http://www.linuxrouter.org )
Запуск маскарадинга для диалап-клиентов
ipfwadm -F -p deny
ipfwadm -F -a m -S 0.0.0.0/0 -D 0.0.0.0/0 - САМОЕ ПРОСТОЕ
# /etc/hosts/deny
#
# deny all, send an alert email to root...
ALL : ALL : \
banners /etc/banners/deny : \
spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s "$(uname -n) wrappers\: %d refused for %c" \
root@localhost ) &
====8<------ end of cut --------------------------
This will deny access to anyone not specifically allowed (from
/etc/hosts.allow), give banners message (specific for the daemon being
called - see the man pages), and generate a very informative mail message
sent to root. (You can add other recipients to that line, btw).
We have found this to be VERY useful here...
[mod: Some remarked that things like "%u" are "client controlled" and
could be used to exploit Tony's system. The manual however claims:
Characters in % expansions that may confuse the shell
are replaced by underscores.
so that should be OK. -- REW]
Но я все же предпочту записывать эти логи в файл а не напрягать свой send
mail - иначе атакующий повысив частоту попыток завести мою машину.
Как у ipfILTER обнулить статистику без перезагрузки?
ipf -z -f my_ipfilter_rules_file
Для того, чтобы использовать ssh1 & ssh2 одновременно, надо:
1. Поставить ssh-1.2.26 (первым!)
2. Поставить ssh-2.x.x
3. В "sshd2_config" добавить (возможно изменив пути):
Ssh1Compatibility yes
Sshd1Path /usr/sbin/sshd1
4. В "ssh2_config" добавить (возможно изменив пути):
Ssh1Compatibility yes
Ssh1Path /usr/bin/ssh1
Настроить в ssh2 ограничения доступ непросто, поэтому самый простой способ -
запускать его через inetd.conf и доступ регулировать стандартными файлами TCP-wrappera hosts.allow/hosts.deny
/etc/inetd.conf
ssh2 stream tcp nowait root /usr/sbin/tcpd sshd2 -i
/etc/hosts.allow
sshd2 : 123.232.175.0/255.255.255.0, 127.0.0.0/255.0.0.0, 234.567.890.12
Last-modified: Thu, 15-Jul-99 10:50:00 GMT
Сайт создан в системе
uCoz