[Tfug] My new machine

Erich Flothmeier tfug@tfug.org
Thu Jul 11 20:39:01 2002 

OK guys,
      Several people have asked questions about my new system as it
    pertains to security. I'll try to answer them in this message


>Keith Davey <kdavey@gus33.homeip.net>
>Hi Erich,
>The distro you are running would help me give you a more acurate answer.  
>However the trend today is to us ssh as the primary remote access method 
>on most new linux distros.  Almost all new linux distros come with 
>telnet disabled in inetd.conf by default, and for the most part it should 
>stay that way.

   it's Mandrake 8.2

   kernel: 2.4.18-6mdk

   I can telnet out from this machine to other machines, but I can't
   do the reverse.
.
>If you are connecting from a windows system to this box I recommend Putty 
>as a good ssh client.  Small fast and effective.

   No, no Windows only Linux
.
>Chears
.
>Keith Davey



>Brian Murphy <murphy@u.arizona.edu>

>Sounds like you may have kernel firewalling on.
>ipchains -L  will show you.  

   I get:

   [root@cbl root]# ipchains -L
   Chain input (policy ACCEPT):
   Chain forward (policy ACCEPT):
   Chain output (policy ACCEPT):

   This tells me that ipchains is not stopping anything. Correct?


>Harry McGregor <micros@azstarnet.com>
>If ipchains does not work, try using "iptables -L", IP tables is the
>default for most 2.4.x kernels (a "uname -a" will show you what kernel
you
>are running.

  I get:

  [root@cbl root]# iptables -L
  /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz: 
  init_module: Device or resource busy
  Hint: insmod errors can be caused by incorrect module parameters, 
  including invalid IO or IRQ parameters
  modprobe: insmod /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/
  ip_tables.o.gz failed
  modprobe: insmod ip_tables failed
  iptables v1.2.5: can't initialize iptables table `filter': 
  iptables who? (do you need to insmod?)
  Perhaps iptables or your kernel needs to be upgraded.

  This suggests to me that iptables is disabled as well. Correct?


    The plan is to get this machine to interface with the internet. while
  another of my machines connects to it to control it remotely using
  xterms and other clients from this internet-interface host.
    Once I get this configured I can "swap out" the current machine I'm
  using as an internet interface so that it can be upgraded.


                                                             Cheers,
                                                             Erich