l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
January 6: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2005 Aug 18 15:40

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] DNS and security
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] DNS and security



Cylar Z said:
> Hey all,
>
> I'm a fairly new Linux admin, running Fedora Core from
> Redhat.  Two questions:
>
> 1. Outgoing DNS isn't working properly on my server.
> The box will respond properly to incoming http
> requests (and even allowed me to host 2 virtual
> domains, which also respond properly). However, it
> does NOT surf the web from the console or ping by
> domain name. It WILL ping by IP so I know the issue is
> DNS and not my actual connection per se. How do I put
> in the DNS info in Fedora Core?
> I tried logging on as
> root, typing "setup" and entering the IP's in the
> designated spaces, but no luck. Is there another way?

edit the file /etc/resolv.conf and add your nameservers there.
eg:
search yourdomain.example.com
nameserver IP.ADDRESS.WITH.NUMBERS
nameserver IP.ADDRESS.WITH.NUMBERS
nameserver IP.ADDRESS.WITH.NUMBERS

Repeat each nameserver lines with as many as you have.

What is more likely the problem? You may have selected a
filtering/firewall policy that is so restrictive as to disallow incoming
port 53 UDP requests, or responses from your DNS.

> 2. In the interest of system security, I want to run
> the absolute minimum number of daemons/services. Which
> ones do I really, really need? So far I've established
> that I need httpd, sshd, sendmail, xinetd, and
> possibly cron. Are there any others that are suggested
> that I be running? This server responds to web
> requests and lets me SSH in remotely. (I don't use
> Telnet.) That's about all it needs to do.
I do not use FC, but those seem ok.

Why do you need xinetd?

crond should not be network enabled, so its risk is mostly one of local
violations if security holes are found with it. Also, cron is expected to
be there for many distro-specific tasks and updates, like mandb, and
updatedb, log rotate, etc.

SSH v1 is not happy. Make sure you ssh server enforces sshv2 only.

> Also, is FTP a security risk, or is it safe to leave
> this port open?
ftp and telnet suffer from plain-text authentication, and being sniffed on
the wire with credential theft. If you ftp is just anonymous, who care
about credential theft?
ftp is another service, and if you do not need it, why enable it?

As for DNS Security, Dan Kaminsky has published a few papers and tools for
allowing information leakage through DNS by users on a network that allows
DNS lookups by users. Some of the ideas are amusing. There is a
theoretical method to defeat many of them, but nothing written AFAIK.

Not likely to be a problem with a web-server-only system, it is only
mentioned here because of the topic.

-ME

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.