tightening up would have to be done at two places: the firewall; and my Linux boxes. I handle the LInux boxes, so leet's talk about that.
- If I don't have IPX support compiled into the kernel, then there's no issue, is there. There's no way someone could issue slist commands through my box. - If I do have IPX support compiled in, and need to keep it for whatever reason (not allowed to recompile the kernel or whatever), then all I do is remove ipx from /etc/services, right. That should take care of it. I don't need to mess with ipchains.... or do I? Michael Martinez System Administrator (Contractor) Information Systems and Technology Management CSREES - United States Department of Agriculture (202) 720-6223 -----Original Message----- From: Steven J. Yellin [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 7:19 PM To: [EMAIL PROTECTED] Subject: Re: SLIST under linux? On Mon, 8 Jul 2002 [EMAIL PROTECTED] wrote: > "Martinez, Michael - CSREES/ISTM" <[EMAIL PROTECTED]> wrote .. > > I recently had a network audit, which had the following to say about my > > LInux machines. Wanted to get some feedback from the list. It seems rather > > bogus. I never heard of this. Can somebody provide details. Is this > > legimitate or no: > > > > "The linux system accepts the SLIST command from outside the agency to > > display internal routing tables. This poses a serious security risk..." > > > "slist" is I believe just an implementation of Novell's SLIST command > for listing NetWare servers. Question, are you running a NetWare > emulator on Linux or just doing slist on Linux to see NetWare servers > you have in house? The slist on Linux is a part of the ncpfs-2.2.0.18-6 > package. You could just remove the slist command from most Linux boxes, > or you could rename slist and make a script wrapper for the slist > command so not everyone can use it, or you could change the execute > permissions to root only, or contact its developer for other options. > > Peter > Ask the folks who did the network audit what ports SLIST uses on your machine to access it. If, for example, they are 3200-3600, you can use your firewall to block access to ports 3200-3600 from "outside the agency". If your firewall is ipchains, for example, it might need something like (I may well be making a mistake in syntax) ipchains -A input -p tcp -y -s ! <your agency's IP range> --dport 3200:3600 -j DENY or for iptables iptables -A INPUT -p tcp --syn -s ! <your agency's IP range> --dport 3200:3600 -j DROP If your "agency" has its own firewall, maybe they should be blocking whatever are the risky ports themselves. -- Steven Yellin _______________________________________________ Seawolf-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/seawolf-list _______________________________________________ Seawolf-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/seawolf-list
