[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A few things

To: Linux Knowledge Base List <linuxkb-list@seul.org>
Subject: A few things
From: "Aaron D. Turner" <aturner@best.com>
Date: Sun, 17 Jan 1999 15:15:45 -0800 (PST)
Reply-To: linuxkb-list@seul.org
Sender: owner-linuxkb-list@seul.org

-----BEGIN PGP SIGNED MESSAGE-----


1) Jason- Did you turn off relaying in Qmail?  I'd hate to find out that
one day someone is using us to spam people.  (Though I have a few "toys"
to play with for people like that. :-)

2) I initially thought that we shouldn't have NaviSite do any ACL's for
us.  Then I realized while we can control all the daemons, we're still
vulnerable to ICMP DOS attacks.  It's all to easy to do a SMURF attack and
eat bandwidth and CPU.  I think we should have NaviSite limit ICMP to
those hosts/networks which we come from.  I would take the existing list
people have given me for TCP Wrappers.

(For those of you wondering why we don't have NaviSite do this for
everything- it's because NaviSite will only make changes to the ACL's
during the change windows which occur 2x week.  Denying access to
ourselves should something change for 4 days while we wait for NaviSite to
make a change is not acceptable IMHO.)

3) Virtual Hosts.  We've got a lot.  Do we need this many?  Should
"linuxkb.org" = "www.linuxkb.org" ?  It doesn't currently.  I assume
"admin" is for the administration pages (CGI's, documentation, etc) for
the site.  This should be bound to the loopback device and we should use
the ssh hack to access it.

4) Ht://dig DB.  How many?  One for each CVS module?  One that's shared?
One for production one for development trees?  (I'm only talking about the
actual tables and the content therin.)

5) MySQL DB.  Same questions.

6) User policies.  So the box is primarily our web server, but I don't
think it's unreasonable that each of us is allowed to store/read mail
locally on it and stuff like that.  (Right now I see local mail spool
readers like pine/mutt/elm allowed.  IMAP and POP3 are a security risk.)  

I forsee a lot of email being generated to aturner@linuxkb.org and I'm
already pushing the limit of storage space at my ISP.  Web pages too?  
Kinda like allowing people who use the site to put a face to the
developers.  Web space for any software we write that's placed under the
GPL license and stuff like that.

That's it for now.  Have a great MLK holiday everyone.

- -- 
Aaron Turner           | Either which way, one half dozen or another. 
aturner@pobox.com      | Check out the Red Hat Linux User's FAQ Online!
www.pobox.com/~aturner | http://www.pobox.com/~aturner/RedHat-FAQ/
All emails from this account are PGP signed.  Lack of a signature is "bad".
PGP Key fingerprint = FB E1 CE ED 57 E4 AB 80  59 6E 60 BF 45 1B 20 E8



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNqJvIjM3jpXy1kJtAQGpigP/Q65KnA3bQp/HXnozW9ez8zAcejU8ZHTJ
mM0WH7b3lzIhKQc0y/zkJEVpwE6HTQFwxYGiBlT6Z0CLSQsOyd1/byWXNLSpSW7V
m4XspMRAi75NiEhJTWLYnxCbsgePHw8P14FrtJSN4OchRclNU8+TLiuaEUkTbdII
VABunbVy06w=
=6q9C
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: A few things
  - From: Jason Pincin <jpincin@ashtech.net>

Prev by Date: Security
Next by Date: Re: Security
Prev by thread: Re: Security
Next by thread: Re: A few things
Index(es):
- Date
- Thread