Hi group, It's possible to start service rinetd with another user instead of root? Thanks Saluti e vive cordialità \\\\|//// ( (.) (.) ) ____000o-()-o000___________________ Emanuele Parmigiani CCNA CCDA Sycom S.r.l. ___________________________________ ooo0 0ooo
Emanuele Parmigiani wrote:
Hi group, It's possible to start service rinetd with another user instead of root?
if you don't want to bind a port <1024 it's no problem... Sven -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256
Greetings all, I been trying to give my friend a shell account (ssh) And I have ran into some confusion. The firewall box has ssh already on it, but it also has portforwarding. So I am confused as to where I should give my friend a shell at. I also talk irc with my friend on a ircd which is located on 192.168.0.2 , but I wondering if this is safe to let ircd be port forwarded through firewall box |---------------------------------- | modem (dialup)-- firewall box | | | redhat eth0 |---------------------------------- | |------------ |---------------- | hub | -- | (eth0) 192.168.0.1 (just a client mandrake) |------------ \ |---------------- | (eth0) 192.168.0.2 (irc, shell accounts suse 7.2) at the moment the only way I know to get through the external network is to ssh to the firewall box as root, then ssh again into 192.168.0.2 box. I don't want my friend to know the root password on the firewall. I trust the guy, but he isn't very adept at linux and he might screw something up by accident. I want to avoid the accident. I also want to limit him to say 10MB and 10 process's (the cpu goes to 100% now with no limits on the account) If I shut ssh off the firewall how can I turn on ssh through it to the shell accounts. Or is this the wrong way to do this? I am thinking the shell might be better off located on the firewall. Should ircd be relocated to the firewall instead of where it is now (192.168.0.2) and finally... a bloob, I accidentally deleted my ircd startup from the inetd.conf I tried YaST and manually editing it but the only way to start irc is manually now. Can someone show the line or lines in the inetd.conf that have the irc/ircd start up from inetd.conf There is not anything in the manual about this. it used to start when I boot, but no more...;o(
Well as soon as I send the email I figure it out... anyone else every have a day like that? heheh I got ssh port-forwarded now and working fine while ssh on the firewall is turned off. Issue closed about ssh. The only questions left here is where should ircd /irc be located and how to get mine starting automaticaly again. And if anyone can see a flaw in how I am doing things I would like to hear so I can patch any holes up. current inetd.conf entry for ircd shows: # from man ircd ircd stream tcp wait irc /etc/ircd ircd -i I notice in netstat -paut that there is no 6667 listening. if i type ircd and netstat -paut again *:6667 listen I don't think that's how your supposed to start ircd automatically. On Tuesday 10 July 2001 02:12 pm, you wrote:
Greetings all, I been trying to give my friend a shell account (ssh) And I have ran into some confusion.
The firewall box has ssh already on it, but it also has portforwarding. So I am confused as to where I should give my friend a shell at.
I also talk irc with my friend on a ircd which is located on 192.168.0.2 , but I wondering if this is safe to let ircd be port forwarded through firewall box
|---------------------------------- | modem (dialup)-- firewall box | | redhat eth0 |---------------------------------- | |------------ |---------------- | hub | -- | (eth0) 192.168.0.1 (just a client mandrake) |------------
\ |----------------
| (eth0) 192.168.0.2 (irc, shell accounts suse 7.2)
at the moment the only way I know to get through the external network is to ssh to the firewall box as root, then ssh again into 192.168.0.2 box.
I don't want my friend to know the root password on the firewall. I trust the guy, but he isn't very adept at linux and he might screw something up by accident. I want to avoid the accident. I also want to limit him to say 10MB and 10 process's (the cpu goes to 100% now with no limits on the account)
If I shut ssh off the firewall how can I turn on ssh through it to the shell accounts. Or is this the wrong way to do this? I am thinking the shell might be better off located on the firewall.
Should ircd be relocated to the firewall instead of where it is now (192.168.0.2)
and finally... a bloob, I accidentally deleted my ircd startup from the inetd.conf I tried YaST and manually editing it but the only way to start irc is manually now. Can someone show the line or lines in the inetd.conf that have the irc/ircd start up from inetd.conf There is not anything in the manual about this.
it used to start when I boot, but no more...;o(
I would not give anyone an account on a firewall and definitely would not port forward through IRC. If you have port forwarding running okay, forward port 22 through the firewall to a local machine and give your friend an account there. personally, I just dont run any irc servers myself, prefering to allow someone else to deal with that security nightmare. On Tue, 10 Jul 2001, phil wrote:
Greetings all, I been trying to give my friend a shell account (ssh) And I have ran into some confusion.
The firewall box has ssh already on it, but it also has portforwarding. So I am confused as to where I should give my friend a shell at.
I also talk irc with my friend on a ircd which is located on 192.168.0.2 , but I wondering if this is safe to let ircd be port forwarded through firewall box
|---------------------------------- | modem (dialup)-- firewall box | | | redhat eth0 |---------------------------------- | |------------ |---------------- | hub | -- | (eth0) 192.168.0.1 (just a client mandrake) |------------ \ |---------------- | (eth0) 192.168.0.2 (irc, shell accounts suse 7.2)
at the moment the only way I know to get through the external network is to ssh to the firewall box as root, then ssh again into 192.168.0.2 box.
I don't want my friend to know the root password on the firewall. I trust the guy, but he isn't very adept at linux and he might screw something up by accident. I want to avoid the accident. I also want to limit him to say 10MB and 10 process's (the cpu goes to 100% now with no limits on the account)
If I shut ssh off the firewall how can I turn on ssh through it to the shell accounts. Or is this the wrong way to do this? I am thinking the shell might be better off located on the firewall.
Should ircd be relocated to the firewall instead of where it is now (192.168.0.2)
and finally... a bloob, I accidentally deleted my ircd startup from the inetd.conf I tried YaST and manually editing it but the only way to start irc is manually now. Can someone show the line or lines in the inetd.conf that have the irc/ircd start up from inetd.conf There is not anything in the manual about this.
it used to start when I boot, but no more...;o(
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
Thanks for the reply. Let me clarify something. IRC is being port-forwarded "through" the firewall to IRC. ie: you hit my firewall and it sends it to the 192.168.0.2 box running the ircd on port 6667. Is this what you meant? and if so then where would you put ircd at? I am not sure what you mean by port-forwarding "through" IRC. On Tuesday 10 July 2001 05:08 pm, you wrote:
I would not give anyone an account on a firewall and definitely would not port forward through IRC. If you have port forwarding running okay, forward port 22 through the firewall to a local machine and give your friend an account there. personally, I just dont run any irc servers myself, prefering to allow someone else to deal with that security nightmare.
Am Mittwoch, 11. Juli 2001 02:53 schrieb phil:
IRC is being port-forwarded "through" the firewall to IRC. ie: you hit my firewall and it sends it to the 192.168.0.2 box running the ircd on port 6667. Is this what you meant? and if so then where would you put ircd at?
Is the machine running irc services running any other services that you are using from (only) behind the firewall ? If not, IMHO it would be considerable to put it next to the firewall, run only ircd and sshd (maybe you can restrict access to it with some ipchains / -tables rules to a couple of hosts). If it's being cracked, the cracker is still in front of your firewall, not behind. Good luck ;) Bjoern
I have been considering this idea, my linux firewall book talks about not running ircd through the firewall. It says that Business and Commercial Firewalls shouldn't allow IRC through the firewall because of the risks of the protocol itself. Hmmmm. My only two choices are to run it on the firewall, or on 192.168.0.2, there's no other place I can put it right now. Current pfwd rules on the firewall are: Source port Destination IP Destination port 6667 192.168.0.2 6667 (ircd) 22 192.168.0.2 22 (ssh) 23 192.168.0.2 23 (Mystic BBS) 80 192.168.0.2 80 (httpd) Ftp only available internally. not externally. I solved the ssh problem already. It was too simple to for me to do. I think that's why I made it too complicated to do. So thanks on that one. My friend now happily can ssh right to where I want him to, and I can totally control his account via the users / groups in YaST2. it is pretty nice. On Wednesday 11 July 2001 12:05 am, you wrote:
Is the machine running irc services running any other services that you are using from (only) behind the firewall ? If not, IMHO it would be considerable to put it next to the firewall, run only ircd and sshd (maybe you can restrict access to it with some ipchains / -tables rules to a couple of hosts). If it's being cracked, the cracker is still in front of your firewall, not behind.
Good luck ;)
Bjoern
i don't think that is a good idea to give someone access to your firewall box if you have configure your firewall and routing table correct you don't have to give a user account to your firewall its so simple don't make this to yourself Kontogiannopoulos Dimitris jim@infodomi.gr Junior Net Admin ----- Original Message ----- From: "phil" <phil@osbtown.com> To: <suse-security@suse.com> Sent: Wednesday, July 11, 2001 12:12 AM Subject: [suse-security] ssh shells and ircd on a small lan
Greetings all, I been trying to give my friend a shell account (ssh) And I have ran into some confusion.
The firewall box has ssh already on it, but it also has portforwarding. So I am confused as to where I should give my friend a shell at.
I also talk irc with my friend on a ircd which is located on 192.168.0.2 , but I wondering if this is safe to let ircd be port forwarded through firewall box
|---------------------------------- | modem (dialup)-- firewall box | | | redhat eth0 |---------------------------------- | |------------ |---------------- | hub | -- | (eth0) 192.168.0.1 (just a client mandrake) |------------ \ |---------------- | (eth0) 192.168.0.2 (irc, shell accounts suse 7.2)
at the moment the only way I know to get through the external network is to ssh to the firewall box as root, then ssh again into 192.168.0.2 box.
I don't want my friend to know the root password on the firewall. I trust the guy, but he isn't very adept at linux and he might screw something up by accident. I want to avoid the accident. I also want to limit him to say 10MB and 10 process's (the cpu goes to 100% now with no limits on the account)
If I shut ssh off the firewall how can I turn on ssh through it to the shell accounts. Or is this the wrong way to do this? I am thinking the shell might be better off located on the firewall.
Should ircd be relocated to the firewall instead of where it is now (192.168.0.2)
and finally... a bloob, I accidentally deleted my ircd startup from the inetd.conf I tried YaST and manually editing it but the only way to start irc is manually now. Can someone show the line or lines in the inetd.conf that have the irc/ircd start up from inetd.conf There is not anything in the manual about this.
it used to start when I boot, but no more...;o(
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (6)
-
Bjoern Engels -
Dimitris Kontogiannopoulos -
dog@intop.net -
Emanuele Parmigiani -
phil -
Sven Michels