[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

20040407: Vietnam and GEMPAK GRIB decoding (cont.)



>From: Mai Nguyen <address@hidden>
>Organization: National Center for Hydro-Meteorological Forecasting of Vietnam
>Keywords: 200312020023.hB20N4p2027742 Linux security

Hi Mai,

This email will only concern the security issues on your machine.

>5) SECURITY. This is the big issue for us since we
>have virtually very little experience working with
>Linux/Unix. This computer is the first (Linux) one
>connected to the internet. So could you please advice
>us the neccesary measures to protect our computer.

We agree that you should act on this before you do anything else,
and this should be as soon as possible!

Here is what we recommend:

- turn off rexec access
- turn off rlogin access
- turn off rsh access
- turn off telnet access
- turn off tftp access

For the above, you would edit the associated files in /etc/xinetd.d
and change 'disable=no' to 'disable=yes' as 'root'.

- turn off rpcbind access
- turn off vsftpd access
- turn off nfs (if you are not using it)

For these three, run 'chkconfig --level 345 <service> off' as 'root'.

If any of the above services need to be used, they should have access
control setup in iptables (/etc/sysconfig/iptables) or wrapped by TCP
wrappers (/etc/hosts.allow).

Below is an iptables configuration (/etc/sysconfig/iptables)
we use here at Unidata modified and annotated for your use:

# ----- /etc/sysconfig/iptables - begin -----
# Generated by iptables-save v1.2.1a on Mon Aug 13 10:07:52 2001
*filter
:INPUT ACCEPT [1621:109078]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1188:410328]
# Allow all from localhost
-A INPUT -s 127.0.0.0/8 -j ACCEPT
#
# Allow all from Trusted Network (local subnet)
-A INPUT -s 203.162.14.0/24 -j ACCEPT
#
# Allow all traffic from Unidata Program Center
-A INPUT -s 128.117.140.0/24 -j ACCEPT
#
# OR allow all trafic from host (change next line and uncomment to activate)
#-A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT
#
# Open specific ports for use (copy SSH example and modify to open other
# ports)
#
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p udp -m udp --dport 22 -j ACCEPT 
#
# LDM
-A INPUT -p tcp -m tcp --dport 388 -j ACCEPT 
#
# Close all other system ports
-A INPUT -p tcp -m tcp --dport 1:1025 -j DROP 
-A INPUT -p udp -m udp --dport 1:1025 -j DROP 
#
# Close specific ports known to be open
-A INPUT -p tcp -m tcp --dport 2049 -j DROP 
-A INPUT -p udp -m udp --dport 2049 -j DROP 
-A INPUT -p tcp -m tcp --dport 3306 -j DROP 
-A INPUT -p udp -m udp --dport 3306 -j DROP 
-A INPUT -p tcp -m tcp --dport 6000:6010 -j DROP 
-A INPUT -p udp -m udp --dport 6000:6010 -j DROP 
COMMIT
# ----- /etc/sysconfig/iptables - end -----

You can use the above entries to replace the ones currently on met_research3:

<as 'root'>
cd /etc/sysconfig
mv iptables iptables.bak

- copy the above lines into /etc/sysconfig/iptables

chkconfig --levels 345 iptables on
/etc/init.d/iptables restart

IMPORTANT:  do not run the above if you are logged in using 'telnet',
'rsh', 'rlogin', or any other service you are turning off since you
will be immediately disconnected when you run the above.  It would
probably be best to do the above from the system console.

Cheers,

Tom
--
NOTE: All email exchanges with Unidata User Support are recorded in the
Unidata inquiry tracking system and then made publically available
through the web.  If you do not want to have your interactions made
available in this way, you must let us know in each email you send to us.