10. Security: On Host

10.1. xinetd

The default RedHat xinetd configuration seemed OK.

10.2. nmap Scan: Listening Ports

An nmap scan from an unprivileged machine showed nothing (IPTables is working!). A scan from a privileged host showed 22, 111 and 6000 open only. 22 (SSH) and 6000 (X) are required.

10.2.1. RPC (portmap)

The portmapper was running (port 111) --- an unwanted open port, so removed links rc3|4|5.d/S13portmap to prevent starting on boot, then portmap stop and portmap status to confirm.

(May need this back if need NFS in future.)

10.3. sendmail

Sendmail is installed as it is used for many system-related things, for example emailing the results of cron scripts to root. However, it is secured via its own config (/etc/mail/sendmail.mc) 

dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
and port 25 is of course "IPTabled-out".

10.4. IPTables

Replaced /etc/init.d/iptables with a modified version which works with my version of /etc/sysconfig/iptables, given below. 

#!/bin/sh

# -- where's the iptables binary?
IPT="/sbin/iptables"


# -----------------------------------------------------------------------------
# -- to start with, clean out the bath :

for i in filter nat mangle
do
    $IPT -t $i -F
    $IPT -t $i -X
done


# -----------------------------------------------------------------------------
# -- if its related to something that's already started, allow it :

$IPT -t filter -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT


# -----------------------------------------------------------------------------
# -- ME :

$IPT -t filter -A INPUT  -s 127.0.0.1 -j ACCEPT
$IPT -t filter -A OUTPUT -s 127.0.0.1 -j ACCEPT


# -----------------------------------------------------------------------------
# -- NEW INWARD VIP TCP connections :

$IPT -t filter -A INPUT -s 130.88.100.77  -m state --state NEW -j ACCEPT 


# -----------------------------------------------------------------------------
# -- GBTC :

# -- new config for 149.97--124 :
# 
$IPT -t filter -A INPUT  -s 130.88.149.96/32 -j DROP
$IPT -t filter -A INPUT  -s 130.88.149.96/28 -j ACCEPT
##$IPT -t filter -A INPUT  -s 130.88.149.97/28 -j ACCEPT
$IPT -t filter -A INPUT  -s 130.88.149.111/32 -j ACCEPT
$IPT -t filter -A INPUT  -s 130.88.149.112/28 -j ACCEPT

# -- old config for 155.51--75 :
# 
##$IPT -t filter -A INPUT  -s 130.88.155.76/30 -j DROP
##
##$IPT -t filter -A INPUT  -s 130.88.155.51/28 -j ACCEPT
##$IPT -t filter -A INPUT  -s 130.88.155.64/28 -j ACCEPT


# -----------------------------------------------------------------------------
# -- every other NEW tcp connection can go in the bin :

$IPT -t filter -A INPUT -m state --state NEW -j DROP


# -----------------------------------------------------------------------------
# -- udp :

$IPT -t filter -A INPUT  -p udp -j DROP


# -----------------------------------------------------------------------------
# -- icmp :

$IPT -t filter -A INPUT -p icmp -j DROP


# -----------------------------------------------------------------------------
# -- the policies which override everything else :

$IPT -t filter -P INPUT DROP
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD DROP


# -----------------------------------------------------------------------------
# -----------------------------------------------------------------------------

...previousup (conts)next...


About this document:

Produced from the SGML: /home/isd/public_html/_gbtc/_reml_grp/index.reml
On: 16/9/2003 at 13:25:38
Options: reml2 -i noindex -l long -o html -p multiple