How to set up home system or server in Solaris with a firewall?
tyson 17-October-2008 05:07:53 PM
Comments


plz visit
www.unix-tutorials.com/search.php?act=search&term=How+to+set+up+a+home+web+server - 34k -
Posted by waqasahmad


Solaris provides ipf command-line for setting-up their firewall subsystems.
Posted by suresh123


Is there any security concern about assigning home directories to each
> user in Unix like operating systems? What would we loose (or gain) by not
> creating these directories?

That all depends on whether or not the permissions are set
correctly. Unix practice says that default umask on file permissions is
such that new files created will be readable by everyone on the system.

$man umask

and change it in /etc/profile if you don't like this idea.

As for what you lose or gain, that also depends on some things, like
whether or not these accounts exist just so administrators can su to
root, or whether they're actual nonprivileged users that need to get
into the shell or transfer data there. If you don't create home dirs,
and said user with no home directory shells in, they'll be greeted with
a nice little message warning that they have no home directory, and
their home directory will be forced to the root (/). Now you have a
user logged in with nowhere to store any data, other than /tmp, which is
usually world-writable.

I think we need more information on what exactly you are trying to
accomplish here.

> What kind of security risks would we face by using/allowing passive
> FTP?

FTP, in any standard form, is a plain-text protocol, meaning
authentication happens in a viewable form over the wire, ie:

USER somebody
PASS mypassword

Thus, if a machine on the same segment is compromised, you run the risk
of having FTP or telnet authentication sniffed out.

Better alternatives for shell services and file transfer include SSH and
SFTP, which do all their authentication in an encrypted form, making
sniffing auth strings much more difficult (provided you are using
version 2 of the SSH protocol).

If you are providing FTP services to end-users outside of your
enterprise, getting them to use SFTP may prove difficult, so you may be
forced to allow plain-text FTP, but for shell access, i would (and do)
insist on SSH2 only.


> 4-) Is it practically possible to have a test environment (test server)
> for firewall rulebase or configuration changes?

Certainly; It's both possible and recommended. Making drastic firewall
rulebase changes without testing them first can be catastrophic,
especially if the rules get out of order somehow and you end up with a
DROP policy somewhere in the middle of one of the chains. Best
practice is to have a small network in a lab where you can test your
firewall rules with a subset of different IPs. Remember to always save
firewall rule chains to disk before they are modified, and back them up
somewhere other than the firewall machine itself.

Posted by sagitraz


Posted: 20-October-2008 12:49:54 AM By: sagitraz

Is there any security concern about assigning home directories to each
> user in Unix like operating systems? What would we loose (or gain) by not
> creating these directories?

That all depends on whether or not the permissions are set
correctly. Unix practice says that default umask on file permissions is
such that new files created will be readable by everyone on the system.

$man umask

and change it in /etc/profile if you don't like this idea.

As for what you lose or gain, that also depends on some things, like
whether or not these accounts exist just so administrators can su to
root, or whether they're actual nonprivileged users that need to get
into the shell or transfer data there. If you don't create home dirs,
and said user with no home directory shells in, they'll be greeted with
a nice little message warning that they have no home directory, and
their home directory will be forced to the root (/). Now you have a
user logged in with nowhere to store any data, other than /tmp, which is
usually world-writable.

I think we need more information on what exactly you are trying to
accomplish here.

> What kind of security risks would we face by using/allowing passive
> FTP?

FTP, in any standard form, is a plain-text protocol, meaning
authentication happens in a viewable form over the wire, ie:

USER somebody
PASS mypassword

Thus, if a machine on the same segment is compromised, you run the risk
of having FTP or telnet authentication sniffed out.

Better alternatives for shell services and file transfer include SSH and
SFTP, which do all their authentication in an encrypted form, making
sniffing auth strings much more difficult (provided you are using
version 2 of the SSH protocol).

If you are providing FTP services to end-users outside of your
enterprise, getting them to use SFTP may prove difficult, so you may be
forced to allow plain-text FTP, but for shell access, i would (and do)
insist on SSH2 only.


> 4-) Is it practically possible to have a test environment (test server)
> for firewall rulebase or configuration changes?

Certainly; It's both possible and recommended. Making drastic firewall
rulebase changes without testing them first can be catastrophic,
especially if the rules get out of order somehow and you end up with a
DROP policy somewhere in the middle of one of the chains. Best
practice is to have a small network in a lab where you can test your
firewall rules with a subset of different IPs. Remember to always save
firewall rule chains to disk before they are modified, and back them up
somewhere other than the firewall machine itself.


Posted: 20-October-2008 01:54:01 PM By: suresh123

Solaris provides ipf command-line for setting-up their firewall subsystems.

Posted: 19-January-2009 06:12:24 AM By: waqasahmad

plz visit
www.unix-tutorials.com/search.php?act=search&term=How+to+set+up+a+home+web+server - 34k -