Bug 74950
Summary: | Errors/typos in security guide | ||
---|---|---|---|
Product: | [Retired] Red Hat Public Beta | Reporter: | Miloslav Trmac <mitr> |
Component: | rhl-sg | Assignee: | John Ha <jha> |
Status: | CLOSED RAWHIDE | QA Contact: | Tammy Fox <tammy.c.fox> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | phoebe | CC: | adstrong, jrfuller |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-03-17 22:35:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Miloslav Trmac
2002-10-03 01:44:59 UTC
Thanks for pointing all of this out! I will review these issues and issue the appropriate Errata ASAP. Johnray I have corrected: 5> Server Security/Securing NIS 5> Server Security/Securing Apache HTTP Server/Restrict Permissions for Executable Directories 5> Server Security/Securing FTP/Anonymous Upload 5> Server Security/Securing Sendmail/Mail-only Users shell /sbin/nologin -> I ignored my own advise from the earlier chapter when I said /bin false... :-( I did not correct: 5> Server Security/Securing Sendmail/Limiting Denial of Service Attack confMIN_FREE_BLOCKS: blacks instead of blocks I can find no evidence to support the use of the term "blacks" here. From all that I have been able to dig up, this directive relates to blocks left on the spool drive, not black lists. Please let me know if I am missing something. The Issues in chapters 7 and 10 will be addressed by John. I will look into the issue for Chapter 3 and tell you the results here. Thank you for all your help! Johnray I have reviewed the firewall chapter with our technical lead, and we agree that the examples in this chapter are valid for machines which act as a firewall/gateway between the Internet and a local network. INPUT and OUTPUT chains in IPTables are for restricting or allowing connections inside and outside the LAN. FORWARD jumps are used, for example, when administrators want to send all incoming port 80 requests to one machine within the LAN that could be running httpd on port 8080. Your observation about running rpm -Vf on individual files is valid and should have been written more clearly. Thank you for your suggestion. For the observations you make regarding recommending /tmp/updates in Chapter 3 Security Updates, I do not see the problem with creating a directory in /tmp/ because you should not need the security updates once you have installed them. The fact that tmpwatch gets rid of the updates to save disk space if you forget to delete them is, in my view, an advantage. If there is something I am missing, let me know here. I do appreciate you taking the time to send in this detailed bug. It whas helped tremendously. Johnray I have posted errata and corrected the source in regards to these errors. Feel free to post to this bug about any of the issues raised here. Thanks again for your help. Johnray Hello, at least in one case I have been misunderstood: 5. Server Security/Securing Sendmail/Limiting Denial of Service Attack confMIN_FREE_BLOCKS: — The minimum number of free blacks which must be ... ^^^^^^ As for the firewall chapter, the trouble is that packets from *both* the LAN and the "outside" go through INPUT, but *only* if directed at the computer in question. Packets to *both* the LAN and the "outside" to through OUTPUT. (It is quite logical, the kernel can't guess which is LAN and which is "outside), but *only* if originated at the computer in question. Packets which are forwarded between interfaces go *only* through FORWARD. Yet the chapter contains things like: The OUTPUT chain specifies any packets that originate from inside a LAN and travels outside (for example, to a remote website) The LAN (which uses a private class C 192.168.1.0/24 IP range) rejects telnet access from the outside iptables -A INPUT -p tcp --sport telnet -j REJECT (this means: Reject all packets to this computer (regardless of origin), which are *from* port telnet. In effect, this disables connections *from* the computer in question to any telnet service (because the "answers" will be rejected.) The whole chapter seems to be based on these wrong assumptions. Although it may appear like I was trying to make a political statement through the sendmail security section, it was actually a typo :-/ I have fixed it now, however. Thanks for clarifying that for me. Johnray Chapter 7 is basically unchanged in 8.0.93 doc set. See the Reference guide explanation of INPUT/OUTPUT/FORWARD in filter table, of just (man iptables). Hello Miloslav, You are correct. That chapter as well as the Server chapter have not yet changed for the new release. They are due to be finished soon, but I do not think they will make it into a beta release. Johnray The firewall chapter has been revamped with some clarification/explanation of chain rules and implementation. Some rulesets have been changed based on this bug report and further analysis. The revamped chapter will appear in the upcoming version of the Security Guide. Thank you for your detailed report and further comments on this chapter. It appears that this covers all points for this bug report. Thank you again for your detailed analysis and response. |