[NTLUG:Discuss] Anyone runs ftp, mail server, httpd and get catched from @home

Steve Egbert egbert at efficient.com
Thu Jan 11 12:19:11 CST 2001 

That is true.  However, I've selected these names based on my DNS domain
scan (before they closed that capability) and made these seemingly safe
assumption.

With HOME.NET, it is strictly given out to corporate employees and
contractors.

With ATT.NET, it is loosely given out to corporate employees.  However, for
a while there was some cell phone users starting to use this domain.  So, I
may re-evaluate this again.


As long as @Home user use traffic shapers and TOS routing, we can keep the
bandwidth to our servers artificially low (being good neighbors) and yet
give casual home user the unlimited bandwidths.


Steve

> -----Original Message-----
> From: MadHat [mailto:madhat at unspecific.com]
> Sent: Thursday, January 11, 2001 11:33 AM
> To: discuss at ntlug.org
> Subject: Re: [NTLUG:Discuss] Anyone runs ftp, mail server, 
> httpd and get
> catched from @home
> 
> 
> All this talk is all fine and dandy, but if you block all of 
> @home and att 
> and such from your server, you can't receive mail from anyone 
> on those 
> domains (that use their servers), and they can't surf your 
> site that you 
> are wanting to hosting...
> 
> remember where the conversation started?  Someone asked about hosting 
> servers on their @home account.  If you want the server to be 
> usable by the 
> general public, you can't put broad restrictions on it and 
> have it really 
> usable by just anyone on the net (which if you are hosting a 
> web site or 
> your own mail, you really need that general, unrestricted access).
> 
> The below is the best for protecting your system and you 
> still want to be 
> able to get to it from outside (this is what I do, all I host 
> is ssh), but 
> if you want to be able to host DNS and/or a web site and/or 
> mail and such, 
> you can't really do that.  Not to mention that sendmail and 
> httpd, for 
> example, don't use tcp_wrappers and /etc/hosts.allow and 
> deny, so the below 
> would be useless for those daemons and anything else that 
> doesn't use them.
> 
> My point was simple, yes you can do it, and probably won't be 
> caught, but 
> you might be, even if you take measures to keep from being 
> noticed.  To 
> make it all truly usable, you have to be open to the world 
> for certain 
> daemons, and therefore have a greater risk of being 
> discovered.  If they 
> want to find you, they will, it is very easy for anyone, and 
> even easier 
> from their vantage point.
> 
> At 11:00 AM 1/11/2001 -0600, you wrote:
> >* egbert at efficient.com [2001.01.10 17:25]:
> >: Actually, I think you would have a better chance of 
> coverage if you do the
> >: following:
> >:
> >: /etc/hosts.deny
> >: ALL: tci.net, tci.com, home.net, att.net
> >:
> >:
> >: HOME.NET is used frequently by @Home corporate and network 
> operation center.
> >:
> >: But, as a warning, this hosts.deny would not stop 
> unregistered IP address or
> >: contracted security-scanner hosts.
> >:
> >: S
> >
> >Actually, the better way to cover you butt is this:
> >
> >/etc/hosts.deny
> >ALL: ALL
> >
> >/etc/hosts.allow
> >ALL: 127.0.0.1
> >sshd: 10.10.2.
> >
> >Where your hosts.allow is a list of services and IPs/networks you
> >"trust".  And of course, use firewalling.  There is a *massive*
> >firewalling script on freshmeat that I usually steal ideas 
> from.  It's
> >way to complicated/bloated for my general usages, but you 
> can check it
> >out here:  http://freshmeat.net/projects/rc.firewall/
> >--
> >cameron
> >[ I spilled spot remover on my dog.  He's gone now. ]
> >_______________________________________________
> >http://ntlug.org/mailman/listinfo/discuss
> 
> --
> MadHat at unspecific.com
> 
> _______________________________________________
> http://ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list