Re: sendmail log question?
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Tue, 22 Jul 2008 14:55:33 -0500
On Mon, 21 Jul 2008, in the Usenet newsgroup comp.mail.sendmail, in article
<48853796$0$4043$b9f67a60@xxxxxxxxxxxxxxxxxx>, Knute Johnson wrote:
Moe Trin wrote:
My mistake, the server box is still running F8, so I think that is the
correct sendmail.
As of Saturday night, it was the latest FC8 update.
Are you a world traveler, or do you have users authorized to log into
your system from every IP address in the world? You'll find you will
waste less CPU cycles by configuring your firewall to only allow
connections to your SSH server from IP addresses you actually expect
may have a legitimate reason to connect. For me, that means allowing
just 1536 IP addresses (a /22 and two /24s) out of the 2676890800 IPv4
addresses in current use in the entire world.
That's why I have the denyhosts running, because I need to ssh into the
box from IPs that I don't know before I leave.
http://www.iana.org/assignments/ipv4-address-space
If you must leave it wide open, I _strongly_ agree with Grant that you
move the server to some high port number over roughly 1100, and not one
of the commonly used ones (see the nmap package that is part of FC8).
Before you think "SECURITY THROUGH OBSCURITY!" remember that moving
the server location in no way changes the authentication mechanisms
you have in place - you still need a valid username and password to
get in. What it _does_ do is to raise a trivial barrier to the skript
kiddiez and 'bots that know that SSH servers only exist on port 22.
There are even stronger concepts like 'port knocking' where the remote
has to send a packet to a specific _closed_ port which causes the
firewall to temporarily open some other port (where the SSH server is
actually waiting) to that specific address. This mechanism is a strong
defense against port-scanning, BUT may be more work than is needed or
desired ("KISS" = Keep It Simple, Stupid!").
Thanks, that name problem is coming from denyhosts. I think I'm going
to have to talk to them about that.
Depending on hostnames for security (except where the lack of an
appropriate 'A' or 'PTR' record is grounds for blocking) is usually a
bad idea. The man page for tcp_wrappers (man 5 hosts_access) provides
two 'wildcard' entries (KNOWN and UNKNOWN), but Prof. Venema warns in
the descriptions of possible problems due to name resolution mis-cues.
There is also a 'PARANOID' wildcard that _could_ be useful for some
services, but would trigger on 'generic' 'PTR' names like the two you
posted (196-201-135-143.iwayafrica.com and 83.72.199.48.ip.tele2adsl.dk
which may not have matching 'A' records).
I've always felt that "reactionary" programs (programs that react to
perceived events) are less useful than common sense. It used to be a
childish h4X0r trick to send packets to their "friend's" computer that
spoofed "attacks" from the DNS server or gateway that the "friend" was
using. This is much less common today, but the concept remains.
Old guy
.
- Follow-Ups:
- Re: sendmail log question?
- From: Knute Johnson
- Re: sendmail log question?
- References:
- sendmail log question?
- From: Knute Johnson
- Re: sendmail log question?
- From: Moe Trin
- Re: sendmail log question?
- From: Knute Johnson
- sendmail log question?
- Prev by Date: Re: Protecting local aliases bug
- Next by Date: Re: Setting up sendmail on Solaris 10
- Previous by thread: Re: sendmail log question?
- Next by thread: Re: sendmail log question?
- Index(es):
Relevant Pages
|
