Be aware that when a port is open it has to respond correctly in the 3-way handshake so that machines can connect to it. Regarding pop if you must have pop3 service; use apop or md5 style authentication. I'd think it better to block incoming pop on the cable interface and use imap with cram-md5 authentication but that isn't trivial to configure. Regards, Kerry. On Sat, Oct 28, 2000 at 02:23:35AM -0400, Frank J. Carmickle wrote: > Ok Brian. > How secure do you want this machine that lives on the wonderfully unsecure > network of athome? I would imagine that you want something that's a > little tighter then what you have right now. When I portscan you I see 21 > 23 24 80 110 and 113. Looks everything else is closed up. My > recommendation to you is to get ssh on your box and forget about telnet > and ftp for starters. Why you have pop3 waiting for connections is > something else I would think you would want shut down. If you really need > http keep it. However if you have another machine that you can > specifically set up as a firewall you will be a lot happier to know that > all of the trafic to your http server can be logged. Same goes for > everything else. > > One thing that you really also want to have happening is some ipchains > rules setup so that your machine doesn't respond to portscans or ping > requests. This should fool most people looking around to find someone > valnerable. I'll post a ipchain rule set that has a lot of this done for > you already. Then Kerry can go over it with a fine tooth comb and tell me > what's wrong with it. > > HTH > FC > > > On Fri, 27 Oct 2000, brian Moore wrote: > > > Greetings all. okay finally got my linux box up and all my services > > running the way I want. my mail server is finally doing what I want. I > > think i have all my ipchains rules setup right and pluged all the security > > holes I know of. the one I'm not clear on is my port 25 security. if this > > machine ever becomes a spam host, I will have to shoot myself so I want to > > make real sure that no one except those in my local network can use it. > > probably asking for trouble but got all my logging on verbose to see what > > happens. can someone try and use my smtp server and see if you can. if > > you notice anything else, let me know as well. > > > > would really apreciate it. > > > > host is bmoore.yi.org > > thanks. brian. > > > > > > > > _______________________________________________ > > Speakup mailing list > > Speakup at braille.uwo.ca > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > _______________________________________________ > Speakup mailing list > Speakup at braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup -- -- Kerry Hoath: kerry at gotss.eu.org Alternates: kerry at emusys.com.au kerry at gotss.spice.net.au or khoath at lis.net.au ICQ UIN: 62823451
