[Sunhelp] Important Ports on Solaris.

Jonathan Eisch jeisch at boku.net
Fri Aug 20 15:24:17 CDT 1999


Secure is good, but I need to be able to access my files.  Not allowing
telnet and FTP would be contrary to my goals.

-Jonathan

"Tubbs, Derric L" wrote:
> 
> There are plenty of Solaris/UNIX sysadmin and/or security guides available
> on the net that tell what they suggest for this and they are good starting
> points and you can fine tune from there.  I agree with the others that you
> should avoid telnet and ftp if possible.  And take note of what was said in
> one of the previous requests, just because you disable ftp coming in doesn't
> mean you'll lose the ability to ftp out to someone else.
> 
> > ----------
> > From:         Doug McLaren[SMTP:dougmc at frenzy.com]
> > Reply To:     sunhelp at sunhelp.org
> > Sent:         Friday, August 20, 1999 2:25 PM
> > To:   sunhelp at ohno.mrbill.net
> > Subject:      Re: [Sunhelp] Important Ports on Solaris.
> >
> > On Fri, Aug 20, 1999 at 02:04:05PM -0500, Jonathan Eisch wrote:
> >
> > | I guess all I need are http, ftp, telnet.  That wasn't to hard.  Are
> > | there any more that one would suggest opening up?
> >
> > Outbound or inbound?
> >
> > If you want to log into the box from the Internet, you'd open up ftp
> > and telnet inbound.  *Note that both are bad ideas, you're much better
> > off with ssh.*
> >
> > Also note that ftp uses more than just one port.  In fact, it uses
> > ports that are basically random above 1024.  If it's in PASV mode,
> > these connections go in the same direction as the original ftp
> > request.  If it's in classic mode, they go in the opposite direction.
> >
> > Ultimately, you're making a choice between security and functionality.
> > You can set up a firewall that blocks most things and doesn't break
> > much, but to get more security you're going to start breaking things.
> >
> > Personally, I like to not break things.  So I allow all outbound TCP
> > connections (except for a few, like 6000/tcp, just to save me from
> > accidents) and block all inbound TCP connections < 1024 except ssh and
> > smtp.  For UDP, I allow all packets outbound, but block inbound traffic
> > to ports under 1024 unless it's to port 53 (DNS).
> >
> > I also block inbound 6000/tcp, 6001/tcp (X) 2049/tcp and 2049/udp
> > (nfs).
> >
> > I also block TCP traffic to and from doubleclick.net's address and a
> > few other sources of banner ads, filtering out many banner ads.  Quite
> > nice :)
> >
> > I probably forgot a few things, but if you can do something like this
> > it'll make a nice start.
> >
> > --
> > Doug McLaren, dougmc at frenzy.com
> >
> > _______________________________________________
> > SunHELP maillist  -  SunHELP at sunhelp.org
> > http://www.sunhelp.org/mailman/listinfo/sunhelp
> >
> 
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp






More information about the SunHELP mailing list