Am Sa, den 17.04.2004 schrieb Alexander Dalloz um 18:30: > tcp_wrappers is from a time when packet filtering was no standard. I > prefer to set up clean and managable iptables chains/rules which even > allows you stateful inspection. Having restrictive settings in more than > 1 place makes it harder to administrate. And it does not necessarily > improve security. I would kick all hosts.deny and hosts.allow settings > and stick with iptables. I forgot to mention: shut down all services you do not need. I.e. by default the portmapper runs on FC1 and offers RPC connects on port 111 which is a risc. If you do not run an NFS server stop that service with "chkconfig portmap off; service portmap stop". And if services offer you to configure restrictions, then use that feature. I.e. Sendmail is by default restricted to only listen on localhost. You may extend that by adding a DAEMON_OPTIONS line to sendmail.mc to let Sendmail also listen on 192.168.2.1, if that is your host's IP. That still restricts usage for Sendmail without any need to create an iptables rule nor restrictions using hosts.deny. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2179.nptl Sirendipity 19:54:30 up 1 day, 23:43, load average: 0.02, 0.03, 0.05 [ ÎÎÏÎÎ Ï'ÎÏÏÎÎ - gnothi seauton ] my life is a planetarium - and you are the stars
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil