[ Pobierz całość w formacie PDF ]
.In general I would advise disabling identd, primarily due to the number of denial of serviceattacks it is susceptible to.You should only run it if you want to make the lives of otheradministrators easier, in tracking down which of your users are being bad.There are howeverother versions of identd available, some with security enhancements (I do not endorse these asI have yet to test them):http://insecurity.net/ - Paul's secure identd written in perlhttp://www.ojnk.nu/~odin/ - ojnk identdhttp://www.tildeslash.org/nullidentd.html - null identdhttp://www.ajk.tele.fi/~too/sw/ - fake identdhttp://p8ur.op.het.net/midentd/ - midentdIdentd runs on port 113 using tcp, and typically you will only need if you want to IRC (manyirc networks require an identd response), or be nice to systems running daemons (such astcp_wrapped telnet, or sendmail) that do identd lookups on connections.ipfwadm -I -a accept -P tcp -S 10.0/8 -D 0.0/0 113ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0/0 113ipfwadm -I -a deny -P tcp -S 0.0/0 -D 0.0/0 113oripchains -A input -p tcp -j ACCEPT -s 10.0/8 -d 0.0/0 113ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0/0 113ipchains -A input -p tcp -j DENY -s 0.0/0 -d 0.0/0 11392ntpdNTP (Network Time Protocol) is rather simple in it s mission, it keeps computers clocks insynchronization.So what? Try comparing log files from 3 separate servers if their clocks areout of synch by a few minutes.NTP simply works by a client connecting to a time server,working out the delay between them (on a local LAN it might be only 1-2ms, across theinternet it might be several hundred ms), and then it asks for the time and sets it s own clock.Additionally servers can be  clustered to keep themselves synchronized, the chances of 3 ormore servers losing track of what time it is (also called  drift ) is relatively low.The timesignal is typically generated by an atomic clock or GPS signal, measured by a computer, theseare  stratum 1 time servers, below them are stratum 2 time servers that typically are publiclyaccessible, a company might maintain it s own stratum 3 time servers if they have sufficientneed, and so on.The data NTP exchanges is of course not terribly sensitive, it s a time signal,however if an attacker were able to tamper with it all sorts of nastiness could result, log filesmight be rendered unusable, accounts might be expired early, cron jobs that backup yourserver might run in prime time causing delays, etc.Thus it is a good idea to run your own timeserver(s), and set the maximum adjustment they will make to only a few seconds (theyshouldn t drift very much in any case).If you are really paranoid, or have a great number ofclients you should consider buying a GPS time unit, they come in all shapes and sizes, from a1U rack mount job that plugs directly into your LAN to ISA and PCI cards that plug into aserver and have an antenna.It is a good idea to firewall off your timeserver, as a denial ofservice attack would be detrimental to your network, in addition to this if possible you shoulduse the encryption available in ntpd, based on DES it is generally sufficient to thwart mostattackers.NTP is available from: http://www.eecis.udel.edu/~ntp/.There usually are no manpages with ntpd or xntpd (wonderful huh) but documentation can be found in /usr/doc/name/typically, or at: http://www.eecis.udel.edu/~ntp/ntp_spool/html/index.htm.NTP runs on port123 using udp and tcp, firewalling it is relatively simple:ipfwadm -I -a accept -P udp -S 10.0/8 -D 0.0/0 123ipfwadm -I -a accept -P udp -S some.trusted.host -D 0.0/0 123ipfwadm -I -a deny -P udp -S 0.0/0 -D 0.0/0 123ipfwadm -I -a accept -P tcp -S 10.0/8 -D 0.0/0 123ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0/0 123ipfwadm -I -a deny -P tcp -S 0.0/0 -D 0.0/0 123oripchains -A input -p udp -j ACCEPT -s 10.0/8 -d 0.0/0 123ipchains -A input -p udp -j ACCEPT -s some.trusted.host -d 0.0/0 123ipchains -A input -p udp -j DENY -s 0.0/0 -d 0.0/0 123ipchains -A input -p tcp -j ACCEPT -s 10.0/8 -d 0.0/0 123ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0/0 123ipchains -A input -p tcp -j DENY -s 0.0/0 -d 0.0/0 12393CVSCVS allows multiple developers to work together on large source code projects and maintaina large code base in a somewhat sane manner.CVS's internal security mechanisms are rathersimple (and some would say weak) on their own, and I would have to agree.CVS'sauthentication is typically achieved over the network using pserver, usernames are sent inclear text, and passwords are trivially hashed (no security really).To get around this you haveseveral good options.In a Unix environment probably the simplest method is to use SSH totunnel connections between the client machines and the server, "Tim TimeWaster" (TimHemel) has written an excellent page covering this that I won't bother to rehash, and it isavailable at: http://cuba.xs4all.nl/~tim/scvs/.A somewhat more complicated approach (butbetter in the long run for large installations) is to kerberize the CVS server and clients,typically large networks (especially in university environments) already have an establishedKerberos infrastructure.Details on kerberizing CVS are available at:http://www.cyclic.com/cyclic-pages/security.html.Apart from that I would strongly urgefirewalling CVS unless you are using it for some public purpose (such as an open sourceproject across the Internet).Another tool for securing CVS that just appeared is  cvsd , a wrapper for pserver thatchroot s and/or suid s it to a harmless user.cvsd is available at:http://cblack.mokey.com/cvsd/ in rpm format and a source tarball.There are other less obvious concerns you should be aware of, when dealing with source codeyou should be very to ensure no Trojan horses or backdoors are emplaced.In an open sourceproject this is relatively simple, review the code people submit, especially if it is a publiclyaccessible effort, such as the Mozilla project.Other concerns might be destruction of thesource code, make sure you have back ups.CVS uses port 2401, tcp.ipfwadm -I -a accept -P tcp -S 10.0/8 -D 0.0/0 2401ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0/0 2401ipfwadm -I -a deny -P tcp -S 0.0/0 -D 0.0/0 2401oripchains -A input -p tcp -j ACCEPT -s 10.0/8 -d 0.0/0 2401ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0/0 2401ipchains -A input -p tcp -j DENY -s 0.0/0 -d 0.0/0 240194rsyncrsync is an extremely efficient method for mirroring files, be it source code files of a CVStree, a web site, or even this document.rsync preserves file permissions, links, file times andmore, in addition to this it supports an anonymous mode (which incidentally I use for themirroring of this document) that makes life very easy for all concerned.The rsync programitself can act as the client (run from a command line or script) and as the server (typically runfrom inetd.conf).The program itself is quite secure, it does not require root privileges to runas a client nor as the server (although it can if you really want it to), and can chroot itself tothe root directory of whatever is being mirrored (this however requires root privileges and canbe more dangerous then it is worth) [ Pobierz całość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

personata.xlx.pl