| Subject | Re: RES: [ib-support] Where I find a really good security specific IB/FB group? |
|---|---|
| Author | William L. Thomson Jr. |
| Post date | 2002-07-17T04:56:05Z |
On Tue, 2002-07-16 at 21:38, Edwin Pratomo wrote:
I do
ALL:ALL
in the hosts.deny file on my DB server
And then in the hosts.allow file
ALL: .domainname.com
ALL: 192.168.0.
Which allows anyone in .domain.com or an IP starting with 192.168.0 to
access the server.
or for specific ip's
ALL: 192.168.0.1
You could be specific on what services, but denying all is the best in
that file, and they in the allow file you could use specific services.
To use specific services use
ibserver:
instead of ALL
Of course you could do both ipchains/iptables, and then dial in
hosts.allow and hosts.deny. If you are really paranoid, but usually one
or the other is good enough.
So the machine itself is only be used by those who are allowed to, not
the public.
I do not recommend running other public services on a machine that will
also run the db server. As that is asking for further problems. If there
is an exploit in some other software, then everything else on that
machine is vulnerable as well.
--
Sincerely,
William L. Thomson Jr.
Support Group
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone 707.766.9509
Fax 707.766.8989
http://www.obsidian-studios.com
>That's one way to do it.
> If you're using Firebird on Linux, you don't need to develop such
> things, just use ipchains/iptables to allow access to port 3050 on the
> machine only from trusted hosts.
> In an article on ibphoenix I read about /etc/gds_hosts.equiv to doYou should have been using hosts.allow and hosts.deny
> similar task, but it didn't work when I tried it.
I do
ALL:ALL
in the hosts.deny file on my DB server
And then in the hosts.allow file
ALL: .domainname.com
ALL: 192.168.0.
Which allows anyone in .domain.com or an IP starting with 192.168.0 to
access the server.
or for specific ip's
ALL: 192.168.0.1
You could be specific on what services, but denying all is the best in
that file, and they in the allow file you could use specific services.
To use specific services use
ibserver:
instead of ALL
Of course you could do both ipchains/iptables, and then dial in
hosts.allow and hosts.deny. If you are really paranoid, but usually one
or the other is good enough.
> We should also worry about a kind of DOS attack which simply openI could not agree more. I also recommend running a dedicated DB server.
> excessive socket connections (and do nothing) until the server hits max
> number of socket. That's why restricting access and accepting
> connections only from trusted hosts is necessary in several cases, web
> hosting environment as an example.
So the machine itself is only be used by those who are allowed to, not
the public.
I do not recommend running other public services on a machine that will
also run the db server. As that is asking for further problems. If there
is an exploit in some other software, then everything else on that
machine is vulnerable as well.
--
Sincerely,
William L. Thomson Jr.
Support Group
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone 707.766.9509
Fax 707.766.8989
http://www.obsidian-studios.com