Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-05-2006, 05:19 PM
|
#1
|
LQ Newbie
Registered: Apr 2004
Posts: 13
Rep:
|
Fedora Core 6 overly secure
This whole secure by default thing is really getting out of hand. So, I just installed FC 6 after having been running RH9 for many years. Now, ftp, telnet, rlogin, etc are all disabled, and despite my best efforts I can't get them to work. Apparently they are all "kerberized" now. Well that's just great, so how the sam hill is that supposed to work across different machines and OSes? All I want to do is ftp some friggin files from the machine where I backed everything up. Nothing seems to work. I've installed xinetd and edited the scripts in /etc/xinetd.d to "enable" ftp. No joy. I've also shut down xinetd and started vsftpd, again, no joy.
|
|
|
11-05-2006, 06:51 PM
|
#2
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
Are you getting errors when you try and start them? What sort of messages are appearing in the log files (e.g. /var/log/messages, /var/log/vsftpd)?
|
|
|
11-05-2006, 07:11 PM
|
#3
|
Member
Registered: May 2004
Posts: 552
Rep:
|
For ftp you need to take away the -a option to the daemon.
Check the file /etc/xinetd.d/gssftp
Code:
change: server_args = -l -a
to: server_args = -l
then restart the xinetd daemon.
Just read the man page for each of the services, and there is a way bypass the auth mechanisms.
|
|
|
11-05-2006, 09:30 PM
|
#4
|
Senior Member
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
|
Keep in mind the reason those services are disabled by default is that have the ability to send userids and passwords in clear text. Anyone between the client a server can see the login information (including wireless users, if you are on WiFi).
If you've just got an Ethernet cable between two machines, no problem. If you are sending information across the Internet, big problem.
Instead of using telnet/rlogin, you can use ssh. Instead of using ftp, you can use scp (uses ssh for transport). If the client is a Windows machine, you can install the free PuTTY program for ssh/scp.
|
|
|
11-06-2006, 10:05 AM
|
#5
|
LQ Newbie
Registered: Apr 2004
Posts: 13
Original Poster
Rep:
|
I took out the -a, still no luck. Attempting to ftp (yes it's from a Windows machine) just hangs with no response. Attempting to ftp from the Linux box gives a litany of GSSAPI errors. It starts with
Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: unspecified GSS failure. Minor code may provide more information
GSSAPI error minor: no credentials cache found
...
I know all about the security issues, but this is a workstation accessed on a LAN not the internet. This is a collossal pain in the arse.
|
|
|
11-06-2006, 11:16 AM
|
#6
|
LQ Newbie
Registered: Apr 2004
Posts: 13
Original Poster
Rep:
|
Also X port is not working
It's like all external port access is disable to the machine. I have the xserver running and I've issues the "xhost +" command. Yet, non-local connections are refused.
|
|
|
11-06-2006, 12:11 PM
|
#7
|
LQ Newbie
Registered: Apr 2004
Posts: 13
Original Poster
Rep:
|
I'm beginning to suspect FC6 has installed a software firewall of some sort. Anyone know how to turn it off? There's nothing in the control panel.
|
|
|
11-06-2006, 12:16 PM
|
#8
|
LQ Newbie
Registered: Apr 2004
Posts: 13
Original Poster
Rep:
|
And indeed, once I tumbled to that, the magic incantation is found to configure the friggin firewall:
system-config-securitylevel
Jeeze, would it be too much trouble to put the @#$%ing thing on the control panel or menu somewhere?
|
|
|
11-06-2006, 12:20 PM
|
#9
|
Senior Member
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
|
You mean menu System-Administration->Security Level and Firewall?
|
|
|
All times are GMT -5. The time now is 05:34 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|