sendmail log question?
in [Sendmail]
|
From: Grant Taylor on 21 Jul 2008 23:34 On 7/21/2008 8:27 PM, Knute Johnson wrote: > That's why I have the denyhosts running, because I need to ssh into the > box from IPs that I don't know before I leave. That's why I like to close down SSH port 22 to known hosts and run SSH elsewhere on a high port too. That way when I'm out and about I can SSH to the high port and I don't have to worry about skript kiddies on my main SSH port. Grant. . . .
From: Moe Trin on 22 Jul 2008 15:55 On Mon, 21 Jul 2008, in the Usenet newsgroup comp.mail.sendmail, in article <48853796$0$4043$b9f67a60(a)news.newsdemon.com>, Knute Johnson wrote: >Moe Trin wrote: >My mistake, the server box is still running F8, so I think that is the >correct sendmail. As of Saturday night, it was the latest FC8 update. >> Are you a world traveler, or do you have users authorized to log into >> your system from every IP address in the world? You'll find you will >> waste less CPU cycles by configuring your firewall to only allow >> connections to your SSH server from IP addresses you actually expect >> may have a legitimate reason to connect. For me, that means allowing >> just 1536 IP addresses (a /22 and two /24s) out of the 2676890800 IPv4 >> addresses in current use in the entire world. >That's why I have the denyhosts running, because I need to ssh into the >box from IPs that I don't know before I leave. http://www.iana.org/assignments/ipv4-address-space If you must leave it wide open, I _strongly_ agree with Grant that you move the server to some high port number over roughly 1100, and not one of the commonly used ones (see the nmap package that is part of FC8). Before you think "SECURITY THROUGH OBSCURITY!" remember that moving the server location in no way changes the authentication mechanisms you have in place - you still need a valid username and password to get in. What it _does_ do is to raise a trivial barrier to the skript kiddiez and 'bots that know that SSH servers only exist on port 22. There are even stronger concepts like 'port knocking' where the remote has to send a packet to a specific _closed_ port which causes the firewall to temporarily open some other port (where the SSH server is actually waiting) to that specific address. This mechanism is a strong defense against port-scanning, BUT may be more work than is needed or desired ("KISS" = Keep It Simple, Stupid!"). >Thanks, that name problem is coming from denyhosts. I think I'm going >to have to talk to them about that. Depending on hostnames for security (except where the lack of an appropriate 'A' or 'PTR' record is grounds for blocking) is usually a bad idea. The man page for tcp_wrappers (man 5 hosts_access) provides two 'wildcard' entries (KNOWN and UNKNOWN), but Prof. Venema warns in the descriptions of possible problems due to name resolution mis-cues. There is also a 'PARANOID' wildcard that _could_ be useful for some services, but would trigger on 'generic' 'PTR' names like the two you posted (196-201-135-143.iwayafrica.com and 83.72.199.48.ip.tele2adsl.dk which may not have matching 'A' records). I've always felt that "reactionary" programs (programs that react to perceived events) are less useful than common sense. It used to be a childish h4X0r trick to send packets to their "friend's" computer that spoofed "attacks" from the DNS server or gateway that the "friend" was using. This is much less common today, but the concept remains. Old guy
From: Knute Johnson on 22 Jul 2008 17:40 Moe Trin wrote: > If you must leave it wide open, I _strongly_ agree with Grant that you > move the server to some high port number over roughly 1100, and not one > of the commonly used ones (see the nmap package that is part of FC8). > Before you think "SECURITY THROUGH OBSCURITY!" remember that moving > the server location in no way changes the authentication mechanisms > you have in place - you still need a valid username and password to > get in. What it _does_ do is to raise a trivial barrier to the skript > kiddiez and 'bots that know that SSH servers only exist on port 22. > There are even stronger concepts like 'port knocking' where the remote > has to send a packet to a specific _closed_ port which causes the > firewall to temporarily open some other port (where the SSH server is > actually waiting) to that specific address. This mechanism is a strong > defense against port-scanning, BUT may be more work than is needed or > desired ("KISS" = Keep It Simple, Stupid!"). > >> Thanks, that name problem is coming from denyhosts. I think I'm going >> to have to talk to them about that. > > Depending on hostnames for security (except where the lack of an > appropriate 'A' or 'PTR' record is grounds for blocking) is usually a > bad idea. The man page for tcp_wrappers (man 5 hosts_access) provides > two 'wildcard' entries (KNOWN and UNKNOWN), but Prof. Venema warns in > the descriptions of possible problems due to name resolution mis-cues. > There is also a 'PARANOID' wildcard that _could_ be useful for some > services, but would trigger on 'generic' 'PTR' names like the two you > posted (196-201-135-143.iwayafrica.com and 83.72.199.48.ip.tele2adsl.dk > which may not have matching 'A' records). > > I've always felt that "reactionary" programs (programs that react to > perceived events) are less useful than common sense. It used to be a > childish h4X0r trick to send packets to their "friend's" computer that > spoofed "attacks" from the DNS server or gateway that the "friend" was > using. This is much less common today, but the concept remains. > > Old guy Thanks for the information. I'm really not worried about my ssh server. I'm using public key authentication and the odds of the script kiddies getting in is infinitesimal. What I really wanted to understand and still don't is what the error message means and where was it generated. Did tcpwrappers fail to authorize the connection and report the warning or did they actually connect to my mail server. Or did tcpwrappers blow up when it found an address it couldn't verify. Thanks, -- Knute Johnson email s/nospam/knute2008/ -- Posted via NewsDemon.com - Premium Uncensored Newsgroup Service ------->>>>>>http://www.NewsDemon.com<<<<<<------ Unlimited Access, Anonymous Accounts, Uncensored Broadband Access
From: Moe Trin on 23 Jul 2008 16:06 On Tue, 22 Jul 2008, in the Usenet newsgroup comp.mail.sendmail, in article <488653bc$0$4050$b9f67a60(a)news.newsdemon.com>, Knute Johnson wrote: >Moe Trin wrote: >> If you must leave it wide open, I _strongly_ agree with Grant that you >> move the server to some high port number over roughly 1100, and not one >> of the commonly used ones (see the nmap package that is part of FC8). >I'm really not worried about my ssh server. I'm using public key >authentication and the odds of the script kiddies getting in is >infinitesimal. Then why are you worrying about blocking skript kiddiez and bots? >What I really wanted to understand and still don't is what the error >message means and where was it generated. Did tcpwrappers fail to >authorize the connection and report the warning or did they actually >connect to my mail server. Or did tcpwrappers blow up when it found >an address it couldn't verify. It's 'libwrap' rather than tcpwrappers, but yes that would appear to be the problem. Old guy
First
|
Prev
|
Pages: 1 2 Prev: daemon MTA-IPv4: Problem creating SMTP socket? Next: DSN: Service unavailable |