multi-services server securing

Hello there, I feel erroneusly (?) secure after .host.denyed in.telnetd and in.sshd from everywhere except one pc, which is denying all exept keyboard. I belive that if i can keep hosts.deny and hosts.allow files safe, and from time to time patch most actual security holes i`ll be conditionaly safe. Em i wrong? Probably I do. I just cant imaginate how system can be cracked in lower stage, so that is my problem. I heard that inetd is very insecure, and some peoples using tcpd (or soundlike). I run harden_suse, but was forced to answer 8/10 to no, as my server should provide a lot of public services, and have world writible directories as well. And thats right - this script was developed not for systems like mine one. However i`ll run SuSE-firewall-3.0 script, to make my system even stronger. But thats all. I dont know what can i do else. I should keep folowing services open: httpd; smptd; pop3d; ftpd; snmpd; named; inetd; sshd; nscd. So if you know how to keep them at minimal risk, or know some holes at those, i would be very gratefull for any info and/or tips. I dont ask to do work for me - link to good manual would be nice too. By the way i have SuSE 6.3 (2.2.13). Thanks in advice. Sincerely Yours, Gediminas Grigas mailto:gedas@kryptis.lt

On Wed, Aug 12, 1998 at 03:47:03PM +0300, Gediminas Grigas wrote:
Hello there,
I feel erroneusly (?) secure after .host.denyed in.telnetd and in.sshd from everywhere except one pc, which is denying all exept keyboard. I belive that if i can keep hosts.deny and hosts.allow files safe, and from time to time patch most actual security holes i`ll be conditionaly safe. Em i wrong? Probably I do.
in any case, someone hacked your RealTimeClock to say it's still 1998.
I just cant imaginate how system can be cracked in lower stage, so that is my problem. I heard that inetd is very insecure, and some peoples using tcpd (or soundlike).
By the way i have SuSE 6.3 (2.2.13).
In any case get a later kernel, there are some serious flaws in anything before 2.2.16 Jurriaan -- What if Boeing were to copy Microsoft's habbits? 'What do you think, Ed, is our new 787 ready?' 'I haven't heard any reports from our beta-testers last month about unexpected crashes, so go ahead..' Seen on Usenet GNU/Linux 2.2.17pre16 SMP 2 users load av: 0.21 0.13 0.05

On Wed, 12 Aug 1998, Gediminas Grigas wrote:
Hello there,
I feel erroneusly (?) secure after .host.denyed in.telnetd and in.sshd from everywhere except one pc, which is denying all exept keyboard. I belive that if i can keep hosts.deny and hosts.allow files safe, and from time to time patch most actual security holes i`ll be conditionaly safe. Em i wrong? Probably I do.
I just cant imaginate how system can be cracked in lower stage, so that is my problem. I heard that inetd is very insecure, and some peoples using tcpd (or soundlike).
It may be ok for a fellow beginner to answer a little from my recent experience. The professionals on the list may find your question too open for them to answer. I had tight hosts.allow files and until a few days ago I thought I was pretty secure. I was not cracked, but I found out I was wrong. hosts.deny and hosts.allow are part of tcpd so you are probably running tcpd already If you have an entry like telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd in your inetd.conf then telnet connections go through tcpd If you test this from a machine that is hosts.deny'd then you will see that you make a connection and then are thrown off. Some people say this is bad as a stranger will suspect you use intd/tcpd/telnet and when a vulnerability is found they will come back and attack you. They say better to deny the packets with a firewall so they have to guess more and maybe leave you alone. Filtering other services through tcpd may be a good idea. To motivate me to do some real learning and testing, I scanned my PC using the ShieldsUp tool on http://www.grc.com/ which a Windows user recommended to me. When I tested from this other machine and found out that httpd was open (I only started it local for susehilf/htdig) I just shut it down.
do else. I should keep folowing services open: httpd; smptd; pop3d; ftpd; snmpd; named; inetd; sshd; nscd. So if you know how to keep them at minimal risk, or know some holes at those, i would be very gratefull for any info and/or tips. I dont ask to do work for me - link to good manual would be nice too. By the way i have SuSE 6.3 (2.2.13).
I like Chapter 18 of the SuSE manual and http://www.securityportal.com/ Did you read the recent thread warning about sysadmins using ftp and telnet? It might affect you. You need to do much more learning than I have done yet :-) dproc

Hello all, Im not really sure if this question fits in the forum... I got the following message from our mailserver: kernel: grow_inodes: inode-max limit reached I issued a df -i and got these results: Filesystem Inodes IUsed IFree IUse% Mounted on /dev/hda3 759552 35264 724288 5% / /dev/hda1 4016 18 3998 0% /boot Nothing else strange showed up in the logs. No (recorded) mail activity at that time either. Im running Qmail and courier IMAP (with and without SSL). Any suggestions ? Leif Larsson ________________ L3 System www.l3system.net ---------------- PGP key fingerprint = 11 81 96 E6 F0 91 ED 4D 13 82 44 99 99 DB AE 8B

Check this: cat /proc/sys/fs/inode-nr The first number is the max-inodes that the system can allocate, the second is the number currently in use (if memory serves.) They were nice enough to increase the max files value ot 8192 for you, but the default max-inode is 16384... It is generally recommended that max-inode be set to four times the value of max-file. I for one run a fairly large mail server, and have max-file and max-inode set to 16384 and 65535 respectively. You can change them by simply doing: echo 16384 > /proc/sys/fs/max-file echo 65535 > /proc/sys/fs/max-inode - Herman
Hello all,
Im not really sure if this question fits in the forum... I got the following message from our mailserver:
kernel: grow_inodes: inode-max limit reached
I issued a df -i and got these results:
Filesystem Inodes IUsed IFree IUse% Mounted on /dev/hda3 759552 35264 724288 5% / /dev/hda1 4016 18 3998 0% /boot
Nothing else strange showed up in the logs. No (recorded) mail activity at that time either.
Im running Qmail and courier IMAP (with and without SSL).
Any suggestions ?
Leif Larsson
________________ L3 System www.l3system.net ---------------- PGP key fingerprint = 11 81 96 E6 F0 91 ED 4D 13 82 44 99 99 DB AE 8B
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Oops... just double checked... it's actually file-max and inode-max... I had the terms backwards with respect to the hyphen. Replace what I put below. - Herman Herman Knief wrote:
Check this:
cat /proc/sys/fs/inode-nr
The first number is the max-inodes that the system can allocate, the second is the number currently in use (if memory serves.) They were nice enough to increase the max files value ot 8192 for you, but the default max-inode is 16384... It is generally recommended that max-inode be set to four times the value of max-file. I for one run a fairly large mail server, and have max-file and max-inode set to 16384 and 65535 respectively.
You can change them by simply doing:
echo 16384 > /proc/sys/fs/max-file echo 65535 > /proc/sys/fs/max-inode
- Herman
participants (5)
-
dproc
-
Gediminas Grigas
-
Herman Knief
-
Leif Larsson
-
thunder7@xs4all.nl