On 27 May 2006 at 21:37, Harondel J. Sibble wrote:
> > they did that, it'd be amusing how many sysadmins would have a hard time
> > getting IRC or SSH or sendmail or ... to work. Does your system, in
> > fact, close all those ports with ipchains or the like? Or if not, how
> > *do* the ports get to be "closed by default"?
> >
> Depends on your choices during install. Mandrake used to offer the paranoid
> level in which no services were externally accessible, most other distro's
> offer something similar.
There's a *HUGE* difference between not having services running and
having the ports *closed*. Closing ports mean that you *cannot* open a
connection from an application and *NO* application can post a LISTEN.
Just shutting down services doesn't close any ports, it just doesn't run
the 'usual' servers on them. Apps can still connect out [e.g., a zombie
connecting to its IRC-channel master to pick up more malware and/or
attack instructions] and in most cases, apps can simply post LISTENs [and
so be sitting there waiting to be told to do something].
BTW: I'm pushing on this because I was teaching a class using Unix and it
was imperative that I set up a "sandbox" for the students to give them
the ability to do a LOT of fooling around but not hurt the server (or the
LAN or the Internet). It was *remarkably* difficult [e.g., protecting a
Unix system from a user doing:
#!/usr/bin/perl
while (1)
{ fork(); }
or filling a filesystem, or ... But I managed that... but the one thing
I couldn't figure out how to do was to prevent the students from writing
little net-apps that connected out and [potentially] screwed up the
school's LAN [if not causing more widespread troubles] or that ran
servers, etc. [this in the days before iptables were available [at least
on the distro we were using]... and even now, I think that using ipchains
to control this kind of thing is tricky, at best]. I'd *LOVE* to hear
that there's some easy/elegant way to control a program's/user's access
to sockets and the Internet...
/Bernie\
--
Bernie Cosell Fantasy Farm Fibers
mailto:[EMAIL PROTECTED] Pearisburg, VA
--> Too many people, too few sheep <--
--
----------------------------------------
WIN-HOME Archives: http://PEACH.EASE.LSOFT.COM/archives/WIN-HOME.html
Contact the List Owner about anything: [EMAIL PROTECTED]
Official Win-Home List Members Profiles Page
http://www.besteffort.com/winhome/Profiles.html
