On Tue, Sep 28, 1999 at 11:12:11AM -0300, M Taylor wrote:
> To control access, I would make certain that you use a recent kernel,
> 2.2.12 works well for me, and have all necessary distribution's
> patches and updates installed. You can use tcp_wrappers for "course"
> access control such 44.*.*.* vs. from the internet access, and a
> mini-firewall using ipchains for "finer grain" access control and logging.
And don't forget the obvious:
Do not give shell access to new users by default! Set their
default shells to /bin/false.
This is easy enough to do -- "adduser" is a script, and can be edited by
hand. While you're at it, be sure to `cat $USERNAME >>/etc/ftpusers` to
prevent them from accessing files on the box via FTP.
Sendmail is a bit more difficult to secure down, as it requires modifying
sendmail.cf (recommended; sendmail.m4 just doesn't give you the flexibility
of a direct edit of sendmail.cf does). However, it's quite possible to
terminate the use of mail relaying in all forms by editing sendmail.cf
appropriately. Armored Internet, my company, did just this -- and for the
last four years, not one mail has been relayed from our servers. Not saying
it's impossible -- just that it has yet to be done. Unfortunately, due to
NDAs, I cannot release the sendmail.cf. :(
POP servers are even more difficult, as it requires modification of the
POP/IMAP server software itself. But this is also trivial, if you know the
C programming language. Create a new configuration file, "popusers", which
works identically to ftpusers. Every time a POP server receives both a USER
and a PASS parameter, check the POP users file, and make sure that the
indicated user isn't listed. Then that will stop them from accessing their
e-mail. It will not stop them from attempting to hack another e-mail
account, however -- nothing you can do on your box can stop this. It's all
a part of being a service provider. Deal with it! :-)
Once these measures have been put in place, /really/, the only way to get
into the box is through whatever channels you actually setup. They cannot
get to shell access, either via telnet, rlogin, or otherwise, as their shell
is set to /bin/false. rsh won't work because (presumably) they do not have
a .rlogin file sitting in their home directory. They won't be able to FTP
files in or out of the box if their user ID is in the ftpusers file except
as anonymous, and the security for anonymous in most FTP servers is usually
quite good. Proper directory structuring is the key here. They won't be
able to relay mail off your server with a correctly configured sendmail.cf
(the "anti-spam" and "anti-relaying" measures in Sendmail don't cover all
the cases, or even most of the cases -- a full audit of sendmail.cf is
required for efficient anti-relay protection). And with the modified POP
server, they won't be able to check their mail either, thus preventing
another form of DoS attack.
The worst thing that can happen in this case is they can hog the network
bandwidth in your modem.
==========================================================================
KC5TJA/6 | -| TEAM DOLPHIN |-
DM13 | Samuel A. Falvo II
QRP-L #1447 | http://www.dolphin.openprojects.net
Oceanside, CA |......................................................
