On Sun, 2002-11-03 at 11:55, Jack Coates wrote:
> On Sun, 2002-11-03 at 07:18, Rod Giffin wrote:
> > On Sun, 2002-11-03 at 09:11, . wrote:
> > > I could use some help with msec. I found in the documentation how
> > > you can use the /etc/security/msec/perm.local file to allow for
> > > modifying permissions of a file. My problem is with modifying a file.
> > > I've got a firewall running at security level 3. I want to modify
> > some
> > > files like /etc/syslogd.conf and /etc/issue{.net}; However, msec
> > keeps
> > > "undoing" my changes.
> > >
> > > Any help would be greately appreciated.
> >
> > I've got the same problem I think. It appears to me that msec and
> > shorewall for instance, work against each other. I think the idea
> > behind msec is good, but somehow I think it's default configuration is a
> > little overboard.
> >
> > Rod.
> >
>
> Haven't had any problems here -- what are you seeing?
I'm now sure that I should not have included Shorewall in the statement
above. It is working as advertised. It's msec I'm having the biggest
problem with.
Just for example, during the install process (and afterwords in the
configuration center) I told the system I wanted higher security - the
instructions say that this is sufficient security for a server connected
to the internet. Apparantly you can't believe everything you read,
because that setting causes the line: ALL:ALL EXCEPT 127.0.0.1:DENY
to be added to hosts.deny. That is inappropriate for a server that
might say, be used as a dns/e-mail server. I havn't found out where to
change this yet, and any change I do in that file are commented out by
crond's msec scripts every hour.
Short of removing the msec's scripts from crond, which is also self
defeating, I'm at a loss. There is a bit of documentation on msec on
www.mandrakesecure.net, but the fix for my problem isn't exactly jumping
off of the page at me. At the moment, the only solution I can see is
changing the security level from 4 back to 2 and hope Shorewall drops
any unwanted traffic on the floor. At least it will allow my remote
users to retrieve their e-mail, and my dns will work.
One other issue I had was with the Postfix install, but I've installed
drakwizard on a test system here and see that the wizard provides the
proper postfix configuration files. I don't actually have the time
anymore to figure out what it adds, so I'm going to have to drive to my
system (20 miles away) and install and run the wizard manually rather
than by webmin or ssh. Very disappointing. I use Mandrake specifically
because it has been easy to administer remotely.
Rod.
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
