IRIX machine as webserver
Bjorn Ljungdahl
I've read that it's not so safe to let a machine with
IRIX be publicly available on the internet. They are
not known to be very secure, especially the older
versions of IRIX (the latest IRIX is probably secure
enough ...). I know there are a lot of precuations to
be taken on an IRIX (any?) machine. Turning of guest
accounts, chkconfig off some things, etc.
Still, I'm interested in doing so when I get cable
modem. Naturally I'd like to use my trusty old Indigo
R3000 with IRIX5.3 :-) even if I have possibility to
use 6.2 or 6.5 on an Indy as well. I wonder if 'all'
problems go away if I use a good firewall.
It's just the IRIX part I'm concerned about here, but
there must be plenty of IRIX machines running as
webservers.
I'm having both hardware and software firewalls in
mind. Any suggestions?
You might have guessed that I never have set up a
firewall before, but I can get someone to help me
with that.
Thank you in advance
regards
Bjorn
If you reply via e-mail, please remove 'nospam'.
Daniel Packman
Bjorn Ljungdahl <bjorn.l...@telia.nospam.com> wrote:
....
>I've read that it's not so safe to let a machine with
>IRIX be publicly available on the internet. They are
>not known to be very secure, especially the older
>versions of IRIX (the latest IRIX is probably secure
>enough ...). I
There are problems with a lot of dated operatings systems.
There are also fundamental problems with unsupported versions
of any operating system. You should be on firm ground with
the current 6.5.14 release.
> know there are a lot of precuations to
>be taken on an IRIX (any?) machine. Turning of guest
>accounts, chkconfig off some things, etc.
These are variations of what one needs to do on any
system to secure it. Proper setup of a web browser
is central to it as is proper limitation of services,
control of user accounts, and control of remote access.
>Still, I'm interested in doing so when I get cable
>modem. Naturally I'd like to use my trusty old Indigo
>R3000 with IRIX5.3 :-) even if I have possibility to
>use 6.2 or 6.5 on an Indy as well. I wonder if 'all'
>problems go away if I use a good firewall.
No, not all problems, but many do. Depending on the
cable modem, it may have the requisite built-in
security options. On a cisco 67x dsl modem, for instance,
one must explicitly do port mappings so that outside
clients can initiate connections to host services.
>It's just the IRIX part I'm concerned about here, but
>there must be plenty of IRIX machines running as
>webservers.
Yes, there are. They do fine.
>I'm having both hardware and software firewalls in
>mind. Any suggestions?
>You might have guessed that I never have set up a
>firewall before, but I can get someone to help me
>with that.
A hardware firewall is very nice since you can right
out limit access to your local network. If you have
multiple machines on a local network, this is very
nice indeed. On a host machine, I'd suggest investigating
ip filtering, particularly if you don't have an external
hardware firewall. Also, you might want to set up tcp
wrappers for your services and tripwire to monitor
everything. You might want to set up a separate machine
to do logging.
--
Daniel Packman
NCAR/ACD
pa...@ucar.edu
Bjorn Ljungdahl
I guess I stepped on some toes with my statement, so I
better do something about it.
I realise that IRIX is not worse than another OS, it's up
to the admin to secure it. I have however read some older
postings in newsgroups about it, which on second thought
might have said something more like 'IRIX is not the most
secure for internet server services'. They probably
refered to older versions though, the postings where a
couple of years old. But since I'm considering IRIX5.3
this was relevant to me.
/Bjorn
PS. Since having 'nospam' in my return address seem to
be a capital crime by some people, I will remove it and
see what happens. DS
Daniel Packman
Bjorn Ljungdahl <bjorn.l...@telia.com> wrote:
>I guess I stepped on some toes with my statement, so I
>better do something about it.
>I realise that IRIX is not worse than another OS, it's up
>to the admin to secure it....
There is often a conflict between ease of use and security.
The vendor is faced with the desire to have machines pre-
loaded with easily networked applications and the desire
to have machines closed to most security holes. Many companies
have tended toward the former and had classic holes in the
system as delivered (nfs wide open, well-known accounts
with no passwords, all services turned on...). The simple
graphical option in irix 6.5 (under the system manager,
select "Improve System Security") helps to satify both
both requirements.
These are generic problems.
....
>PS. Since having 'nospam' in my return address seem to
>be a capital crime by some people, I will remove it and
>see what happens. DS
May you enjoy the increased volume of email on a wide
variety of topics. :-)
Alex
"Bjorn Ljungdahl" <bjorn.l...@telia.nospam.com> wrote in message
news:3c39e26d....@news-west.newscene.com...
> Thank you Daniel, and others for useful information
>
> be a capital crime by some people, I will remove it and
> see what happens. DS
You can always open an account at one of those free email services (yahoo,
hotmail, caramail...) and just use it only for newsgroups. All the crap will
end up there and real people won't complain. You have to check it every now
and then, obviously, but it will keep you main account from being
overwhelmed.
alex
Stroller
...
>
> PS. Since having 'nospam' in my return address seem to
> be a capital crime by some people, I will remove it and
> see what happens. DS
It wasn't Brent Bates, was it, by any change..? He sent me some VERY rude
messages the first time I posted here, and didn't even have the decency to
justify himself. Raise the matter with his employer. All replies to Usenet
posts are best sent to the group, anyway, for the elucidation of others.
I have been posting for a while recently (for unrelated reason) without a
spamtrap, and the amount of junkmail I receive is horrific. I was checking
my personal mail at work, the other day a practice which is tolerated by my
company, and received a mail which said (to paraphrase), "I was surprised
not to have heard back from you, I thought you were interested in this
[specified] subject, but if you're not, forget it. A link to my homepage
follows". Now call me dumb, but I made the assumption this was a friend or
acquaintance whose email nickname I didn't recognise, and unthinkingly
followed the url, to help me identify them. I get a lot of spam, and most
of it gets deleted without being read, but this was just sufficiently
misleading for me to check. I closed the page as soon as I realised it was
some sort of porn site, which apparently wasn't spotted by the company
proxy-filter, but the URL was picked up on by someone else, later. I have a
good connection at home for surfing porn, so I don't need to do so at work,
and I'm not quite *that* stupid, anyway - but a few days later I'm in my
boss' office getting a lecture about "inappropriate websites".
Since I've only been with the company a month or so, and I NEED the job
badly, I'm now shitting bricks. I thought my boss was pretty damn tolerant,
considering & if I was in his place the company would be advertising for
a new junior right about now.
The upshot of this is that, however justified some arguments against
spam-traps are, I can't consider them in the least against my own position.
Stroller.
Brigitte Silins
"Stroller" <stroller.cunn...@bigfoot.com> wrote in message
news:6dhf1a...@garcon.lan...
> Bjorn Ljungdahl wrote:
>
> ...
> >
> > PS. Since having 'nospam' in my return address seem to
> > be a capital crime by some people, I will remove it and
> > see what happens. DS
>
> It wasn't Brent Bates, was it, by any change..? He sent me some VERY rude
> messages the first time I posted here, and didn't even have the decency to
> justify himself. Raise the matter with his employer. All replies to Usenet
> posts are best sent to the group, anyway, for the elucidation of others.
>
I don't know about Bjorn, but I received such an email, as you describe,
from Brent last year. I agree with you. My feelings on the subject matter
are that usenet replies should be posted to the group rather than sent
directly to the person asking the question; and so a mangled address should
never have been an issue in the first place.
If in fact the SGI newsgroup does not welcome mangled return addresses, then
I believe this should be included in the misc FAQs. In other words this
policy should be clear to all newcomers. Why make people wish they had asked
their question to the Sun newsgroup instead ;-)
Brent did surprisingly (amusingly) come through when several months later he
posted a commentary about EGD in an unsolicited answer to the newsgroup at
large.
Regards,
Brigitte Silins
P.S Included the original message and argument I made on this topic:
----- Original Message -----
From: Brent L. Bates <blb...@vigyan.com>
To: Brigitte Silins <webm...@agora.ca>
Sent: Monday, February 26, 2001 1:08 PM
Subject: Re: Help with EGD to create dev/random or entropy source on IRIX.
> IF you want ANY help AT ALL, YOU delete the garbage from YOUR return
> address or do not bother us with YOUR junk email!!
>
>
> --
>
> Brent L. Bates (UNIX Sys. Admin.)
> M.S. 912 Phone:(757) 865-1400, x204
> NASA Langley Research Center FAX:(757) 865-8177
> Hampton, Virginia 23681-0001
> Email: B.L....@larc.nasa.gov http://www.vigyan.com/~blbates/
>
> Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B)
> This email address may not be added to any commercial mail list with out
> my permission. Violation of my privacy with advertising or SPAM will
> result in a suit for a MINIMUM of $500 damages/incident, $1500 for
repeats.
>
Is it really the nospam portion of my return address that bothered you so
much?
After I received your email, I made a more recent search of Google(deja) and
found only one reference to address munging in the IRIX newsgroup - Alex
Cousin - who mentioned that it was against RFCs. The only RFC that I could
think of was RFC1855 about netiquette.
I carefully read the entire section pertaining to NetNews and could not find
any
reference to munging or NOSPAM.
I've also looked around at other newsgroups to which I subscribe and this
does
not seem to be an issue. People, whose postings I respect, also seem to be
making similar changes to their return addresses. example sendmail
newsgroup.
I have to admit that I set up my newsgroup account more than a year ago. At
the
time, I do remember searching the SGI FAQ about this issue and didn't find
anything. Nor did I find anything through dejanews back then. Although I
have
occasionally contributed to the SGI newsgroups over the last 4 or so years,
I
have never posted any questions until the last 3 weeks. So, I wasn't aware
this
was an issue with this particular newsgroup. (My newsreader does not
automatically show the headers and I hadn't really thought about my netnews
return address in all that time.)
I noticed that I am not the only one recently that has made the same
mistake. So
perhaps a constructive way to deal with this issue might be to add a comment
to
the misc SGI FAQ. As it seems you have previously contributed to the SGI
FAQ,
you might know the proper channels to make this happen.
As I don't go out of my way to be rude to people, your email surprised me. I
thought you might have handled this more elegantly.
Now, if you do in fact have any knowledge of EGD to create dev/random on
IRIX
6.5.9 or another better entropy source on IRIX, I would love to hear it.
Regards,
Brigitte Silins
President Agora Global Networks Inc.