I've read that it's not so safe to let a machine with IRIX be publicly available on the internet. They are not known to be very secure, especially the older versions of IRIX (the latest IRIX is probably secure enough ...). I know there are a lot of precuations to be taken on an IRIX (any?) machine. Turning of guest accounts, chkconfig off some things, etc.
Still, I'm interested in doing so when I get cable modem. Naturally I'd like to use my trusty old Indigo R3000 with IRIX5.3 :-) even if I have possibility to use 6.2 or 6.5 on an Indy as well. I wonder if 'all' problems go away if I use a good firewall.
It's just the IRIX part I'm concerned about here, but there must be plenty of IRIX machines running as webservers. I'm having both hardware and software firewalls in mind. Any suggestions? You might have guessed that I never have set up a firewall before, but I can get someone to help me with that.
>I've read that it's not so safe to let a machine with >IRIX be publicly available on the internet. They are >not known to be very secure, especially the older >versions of IRIX (the latest IRIX is probably secure >enough ...). I
There are problems with a lot of dated operatings systems. There are also fundamental problems with unsupported versions of any operating system. You should be on firm ground with the current 6.5.14 release.
> know there are a lot of precuations to >be taken on an IRIX (any?) machine. Turning of guest >accounts, chkconfig off some things, etc.
These are variations of what one needs to do on any system to secure it. Proper setup of a web browser is central to it as is proper limitation of services, control of user accounts, and control of remote access.
>Still, I'm interested in doing so when I get cable >modem. Naturally I'd like to use my trusty old Indigo >R3000 with IRIX5.3 :-) even if I have possibility to >use 6.2 or 6.5 on an Indy as well. I wonder if 'all' >problems go away if I use a good firewall.
No, not all problems, but many do. Depending on the cable modem, it may have the requisite built-in security options. On a cisco 67x dsl modem, for instance, one must explicitly do port mappings so that outside clients can initiate connections to host services.
>It's just the IRIX part I'm concerned about here, but >there must be plenty of IRIX machines running as >webservers.
Yes, there are. They do fine.
>I'm having both hardware and software firewalls in >mind. Any suggestions? >You might have guessed that I never have set up a >firewall before, but I can get someone to help me >with that.
A hardware firewall is very nice since you can right out limit access to your local network. If you have multiple machines on a local network, this is very nice indeed. On a host machine, I'd suggest investigating ip filtering, particularly if you don't have an external hardware firewall. Also, you might want to set up tcp wrappers for your services and tripwire to monitor everything. You might want to set up a separate machine to do logging.
Thank you Daniel, and others for useful information
I guess I stepped on some toes with my statement, so I better do something about it. I realise that IRIX is not worse than another OS, it's up to the admin to secure it. I have however read some older postings in newsgroups about it, which on second thought might have said something more like 'IRIX is not the most secure for internet server services'. They probably refered to older versions though, the postings where a couple of years old. But since I'm considering IRIX5.3 this was relevant to me.
/Bjorn
PS. Since having 'nospam' in my return address seem to be a capital crime by some people, I will remove it and see what happens. DS
In article <3c39e26d.146824...@news-west.newscene.com>,
Bjorn Ljungdahl <bjorn.ljungd...@telia.com> wrote: >I guess I stepped on some toes with my statement, so I >better do something about it. >I realise that IRIX is not worse than another OS, it's up >to the admin to secure it....
There is often a conflict between ease of use and security. The vendor is faced with the desire to have machines pre- loaded with easily networked applications and the desire to have machines closed to most security holes. Many companies have tended toward the former and had classic holes in the system as delivered (nfs wide open, well-known accounts with no passwords, all services turned on...). The simple graphical option in irix 6.5 (under the system manager, select "Improve System Security") helps to satify both both requirements.
These are generic problems.
....
>PS. Since having 'nospam' in my return address seem to >be a capital crime by some people, I will remove it and >see what happens. DS
May you enjoy the increased volume of email on a wide variety of topics. :-)
> Thank you Daniel, and others for useful information
> PS. Since having 'nospam' in my return address seem to > be a capital crime by some people, I will remove it and > see what happens. DS
You can always open an account at one of those free email services (yahoo, hotmail, caramail...) and just use it only for newsgroups. All the crap will end up there and real people won't complain. You have to check it every now and then, obviously, but it will keep you main account from being overwhelmed.
> PS. Since having 'nospam' in my return address seem to > be a capital crime by some people, I will remove it and > see what happens. DS
It wasn't Brent Bates, was it, by any change..? He sent me some VERY rude messages the first time I posted here, and didn't even have the decency to justify himself. Raise the matter with his employer. All replies to Usenet posts are best sent to the group, anyway, for the elucidation of others.
I have been posting for a while recently (for unrelated reason) without a spamtrap, and the amount of junkmail I receive is horrific. I was checking my personal mail at work, the other day a practice which is tolerated by my company, and received a mail which said (to paraphrase), "I was surprised not to have heard back from you, I thought you were interested in this [specified] subject, but if you're not, forget it. A link to my homepage follows". Now call me dumb, but I made the assumption this was a friend or acquaintance whose email nickname I didn't recognise, and unthinkingly followed the url, to help me identify them. I get a lot of spam, and most of it gets deleted without being read, but this was just sufficiently misleading for me to check. I closed the page as soon as I realised it was some sort of porn site, which apparently wasn't spotted by the company proxy-filter, but the URL was picked up on by someone else, later. I have a good connection at home for surfing porn, so I don't need to do so at work, and I'm not quite *that* stupid, anyway - but a few days later I'm in my boss' office getting a lecture about "inappropriate websites".
Since I've only been with the company a month or so, and I NEED the job badly, I'm now shitting bricks. I thought my boss was pretty damn tolerant, considering & if I was in his place the company would be advertising for a new junior right about now.
The upshot of this is that, however justified some arguments against spam-traps are, I can't consider them in the least against my own position.
> > PS. Since having 'nospam' in my return address seem to > > be a capital crime by some people, I will remove it and > > see what happens. DS
> It wasn't Brent Bates, was it, by any change..? He sent me some VERY rude > messages the first time I posted here, and didn't even have the decency to > justify himself. Raise the matter with his employer. All replies to Usenet > posts are best sent to the group, anyway, for the elucidation of others.
I don't know about Bjorn, but I received such an email, as you describe, from Brent last year. I agree with you. My feelings on the subject matter are that usenet replies should be posted to the group rather than sent directly to the person asking the question; and so a mangled address should never have been an issue in the first place.
If in fact the SGI newsgroup does not welcome mangled return addresses, then I believe this should be included in the misc FAQs. In other words this policy should be clear to all newcomers. Why make people wish they had asked their question to the Sun newsgroup instead ;-)
Brent did surprisingly (amusingly) come through when several months later he posted a commentary about EGD in an unsolicited answer to the newsgroup at large.
Regards,
Brigitte Silins
P.S Included the original message and argument I made on this topic:
----- Original Message ----- From: Brent L. Bates <blba...@vigyan.com> To: Brigitte Silins <webmas...@agora.ca> Sent: Monday, February 26, 2001 1:08 PM Subject: Re: Help with EGD to create dev/random or entropy source on IRIX.
> IF you want ANY help AT ALL, YOU delete the garbage from YOUR return > address or do not bother us with YOUR junk email!!
> --
> Brent L. Bates (UNIX Sys. Admin.) > M.S. 912 Phone:(757) 865-1400, x204 > NASA Langley Research Center FAX:(757) 865-8177 > Hampton, Virginia 23681-0001 > Email: B.L.BA...@larc.nasa.gov http://www.vigyan.com/~blbates/
> Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) > This email address may not be added to any commercial mail list with out > my permission. Violation of my privacy with advertising or SPAM will > result in a suit for a MINIMUM of $500 damages/incident, $1500 for repeats.
Is it really the nospam portion of my return address that bothered you so much?
After I received your email, I made a more recent search of Google(deja) and found only one reference to address munging in the IRIX newsgroup - Alex Cousin - who mentioned that it was against RFCs. The only RFC that I could think of was RFC1855 about netiquette.
I carefully read the entire section pertaining to NetNews and could not find any reference to munging or NOSPAM. I've also looked around at other newsgroups to which I subscribe and this does not seem to be an issue. People, whose postings I respect, also seem to be making similar changes to their return addresses. example sendmail newsgroup.
I have to admit that I set up my newsgroup account more than a year ago. At the time, I do remember searching the SGI FAQ about this issue and didn't find anything. Nor did I find anything through dejanews back then. Although I have occasionally contributed to the SGI newsgroups over the last 4 or so years, I have never posted any questions until the last 3 weeks. So, I wasn't aware this was an issue with this particular newsgroup. (My newsreader does not automatically show the headers and I hadn't really thought about my netnews return address in all that time.)
I noticed that I am not the only one recently that has made the same mistake. So perhaps a constructive way to deal with this issue might be to add a comment to the misc SGI FAQ. As it seems you have previously contributed to the SGI FAQ, you might know the proper channels to make this happen.
As I don't go out of my way to be rude to people, your email surprised me. I thought you might have handled this more elegantly.
Now, if you do in fact have any knowledge of EGD to create dev/random on IRIX 6.5.9 or another better entropy source on IRIX, I would love to hear it.
Regards,
Brigitte Silins President Agora Global Networks Inc.
