[ Pobierz całość w formacie PDF ]
.POP runs on ports 109 and 110 (109 is basically obsolete though), using the tcpprotocol.The Washington University IMAPD server also comes with a pop server and isgenerally the stock pop server that ships with most Linux distributions.You can get it from:http://www.washington.edu/imap/.ipfwadm -I -a accept -P tcp -S 10.0/8 -D 0.0/0 110ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0/0 110ipfwadm -I -a deny -P tcp -S 0.0/0 -D 0.0/0 110oripchains -A input -p tcp -j ACCEPT -s 10.0/8 -d 0.0/0 110ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0/0 110ipchains -A input -p tcp -j DENY -s 0.0/0 -d 0.0/0 110CyrusCyrus is an imap (it also supports pop and kpop) server aimed at closed environments.Thatis to say that the users will not have any access to the mail server other then by imap or popprotocols.This allows Cyrus to store the mail in a much more secure manner and allows foreasier management of larger installations.Cyrus is GNU licensed and available from:http://andrew2.andrew.cmu.edu/cyrus/imapd/.IDS POPIDS (It Doesn t Suck) POP is a lighter popd replacement aimed at smaller installations.It isGPL and available from: http://www.nodomainname.net/software/ids-pop/.73IMAPDWU IMAPD (stock imapd)IMAP is POP on steroids.It allows you to easily maintain multiple accounts, have multiplepeople access one account, leave mail on the server, just download the headers, or bodies andno attachments, and so on.IMAP is ideal for anyone on the go or with serious email needs.The default POP and IMAP servers that most distributions ship (bundled together into a singlepackage named imapd oddly enough) fulfill most needs.IMAP also starts out as root, although imapd typically drops to the privilege of the useraccessing it, and cannot be easily set to run as a non root user since they have to openmailboxes (and in IMAP s case create folders, files, etc.in the user s home directory), so theycannot drop privileges as soon as one would like.Nor can they easily be chrooted (IMAPneeds access to /var/spool/mail, and IMAP needs access to the user s home directory).Thebest policy is to keep the software up to , and if at all possible firewall pop and imap from theoutside world, this works well if no-one is on the road and needs to collect their email via theInternet.Washington University (WU) IMAPD is available from:http://www.washington.edu/imap/.IMAP runs on port 143 and most IMAPD servers support TCP_WRAPPERS, making itrelatively easy to lock down.ipfwadm -I -a accept -P tcp -S 10.0/8 -D 0.0/0 143ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0/0 143ipfwadm -I -a deny -P tcp -S 0.0/0 -D 0.0/0 143oripchains -A input -p tcp -j ACCEPT -s 10.0/8 -d 0.0/0 143ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0/0 143ipchains -A input -p tcp -j DENY -s 0.0/0 -d 0.0/0 143CyrusCyrus is an imap (it also supports pop and kpop) server aimed at closed environments.Thatis to say that the users will not have any access to the mail server other then by imap or popprotocols.This allows Cyrus to store the mail in a much more secure manner and allows foreasier management of larger installations.Cyrus is GNU licensed and available from:http://andrew2.andrew.cmu.edu/cyrus/imapd/.74WWW based mail readersOne of the better solutions is to use a www based mail client, these can usually be run under asecure www server with minimal extra work, and have the added bonus of letting users checkemail safely from locations that would normally make checking email difficult (while onvacation in Europe for example).Unfortunately the majority of www based mail readingclients stink, and the good ones cost an arm and a leg.Non CommercialIMPIMP requires the Horde module (available on the same site) and a www server capable ofPHP3 support.You can download IMP and Horde from: http://www.horde.org/imp/.AtDotAtDot is GNU licensed and written in Perl.It has several modes of operation making itsuitable for a variety of www based email solutions (hotmail style providers, ISP s, etc.).Youcan download it from: http://www.nodomainname.net/software/atdot/.CommercialDmailWebhttp://netwinsite.com/dmailweb/index.htmWebImaphttp://netwinsite.com/webimap/index.htm75DNSBindDNS is an extremely important service for IP networks, I would not hesitate to say probablythe MOST important network service (without no-one can find anything).It also requiresconnections coming in from the outside world, and due to the nature and structure of DNS theinformation DNS servers claim to have may not be true.The main provider of DNS serversoftware (named, the de facto standard) is currently looking at adding a form of DNSinformation authentication (basically using RSA to cyrptographically sign the data, proving itis 'true').Most distributions are finally shipping bind 8.x, however none (to my knowledge) haveshipped it setup for non root, chrooted use by default.Making the switch is easy however:-uspecifies which UID bind will switch to once it is bound to port 53 (I like to use a user called'named' with no login permissions, similar to 'nobody').-gspecifies which GID bind will switch to once it is bound to port 53 (I like to use a groupcalled 'named', similar to 'nobody').-tspecifies the directory that bind will chroot itself to once started./home/named is a good bet,in this directory you should place all the libraries and config files bind will require.An even easier way of running bind chroot'ed is to download the bind-chroot package,available as a contrib package for most distributions, and install it.Before installation you willneed a user and group called named (which is what the bind server changes it UID/GID to),simply use groupadd and useradd to create the user/group.Some packages uses holelogd tolog bind information to /var/log/messages (as bind would normally do), if this isn t availableyou will have to install it be hand which is a chore.In addition to this the defaultconfiguration file for bind is usually setup securely (i.e.you cannot query bind for the versioninformation).Another aspect of bind is the information it contains about your network(s).When a personqueries a DNS server for information they typically send a small request for one piece ofinformation, i.e.: what is the IP address for www.seifried.org? And there are domain transfers,where a DNS server requests all the information for say seifried.org, and grabs it and can thenmake it available to other (in the case of a secondary DNS server).This is potentially verydangerous, it can be as or more dangerous then shipping a company phone directory toanyone that calls up and asks for it.Bind version 4 didn't really have much security, you couldlimit transfers to certain server, but not selectively enough to be truly useful.This has changedin Bind 8, documentation is available at http://www.isc.org/bind.html.To make a long storyshort in Bind 8 there are global settings and most of these can also be applied on a per domainbasis.You can easily restrict transfers AND queries, log queries, set maximum data sizes, andso on.Remember, when restricting zone queries you must secure ALL name servers (masterand the secondaries), as you can transfer zones from a secondary just as easily as a master [ Pobierz całość w formacie PDF ]
zanotowane.pl doc.pisz.pl pdf.pisz.pl odbijak.htw.pl
.POP runs on ports 109 and 110 (109 is basically obsolete though), using the tcpprotocol.The Washington University IMAPD server also comes with a pop server and isgenerally the stock pop server that ships with most Linux distributions.You can get it from:http://www.washington.edu/imap/.ipfwadm -I -a accept -P tcp -S 10.0/8 -D 0.0/0 110ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0/0 110ipfwadm -I -a deny -P tcp -S 0.0/0 -D 0.0/0 110oripchains -A input -p tcp -j ACCEPT -s 10.0/8 -d 0.0/0 110ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0/0 110ipchains -A input -p tcp -j DENY -s 0.0/0 -d 0.0/0 110CyrusCyrus is an imap (it also supports pop and kpop) server aimed at closed environments.Thatis to say that the users will not have any access to the mail server other then by imap or popprotocols.This allows Cyrus to store the mail in a much more secure manner and allows foreasier management of larger installations.Cyrus is GNU licensed and available from:http://andrew2.andrew.cmu.edu/cyrus/imapd/.IDS POPIDS (It Doesn t Suck) POP is a lighter popd replacement aimed at smaller installations.It isGPL and available from: http://www.nodomainname.net/software/ids-pop/.73IMAPDWU IMAPD (stock imapd)IMAP is POP on steroids.It allows you to easily maintain multiple accounts, have multiplepeople access one account, leave mail on the server, just download the headers, or bodies andno attachments, and so on.IMAP is ideal for anyone on the go or with serious email needs.The default POP and IMAP servers that most distributions ship (bundled together into a singlepackage named imapd oddly enough) fulfill most needs.IMAP also starts out as root, although imapd typically drops to the privilege of the useraccessing it, and cannot be easily set to run as a non root user since they have to openmailboxes (and in IMAP s case create folders, files, etc.in the user s home directory), so theycannot drop privileges as soon as one would like.Nor can they easily be chrooted (IMAPneeds access to /var/spool/mail, and IMAP needs access to the user s home directory).Thebest policy is to keep the software up to , and if at all possible firewall pop and imap from theoutside world, this works well if no-one is on the road and needs to collect their email via theInternet.Washington University (WU) IMAPD is available from:http://www.washington.edu/imap/.IMAP runs on port 143 and most IMAPD servers support TCP_WRAPPERS, making itrelatively easy to lock down.ipfwadm -I -a accept -P tcp -S 10.0/8 -D 0.0/0 143ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0/0 143ipfwadm -I -a deny -P tcp -S 0.0/0 -D 0.0/0 143oripchains -A input -p tcp -j ACCEPT -s 10.0/8 -d 0.0/0 143ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0/0 143ipchains -A input -p tcp -j DENY -s 0.0/0 -d 0.0/0 143CyrusCyrus is an imap (it also supports pop and kpop) server aimed at closed environments.Thatis to say that the users will not have any access to the mail server other then by imap or popprotocols.This allows Cyrus to store the mail in a much more secure manner and allows foreasier management of larger installations.Cyrus is GNU licensed and available from:http://andrew2.andrew.cmu.edu/cyrus/imapd/.74WWW based mail readersOne of the better solutions is to use a www based mail client, these can usually be run under asecure www server with minimal extra work, and have the added bonus of letting users checkemail safely from locations that would normally make checking email difficult (while onvacation in Europe for example).Unfortunately the majority of www based mail readingclients stink, and the good ones cost an arm and a leg.Non CommercialIMPIMP requires the Horde module (available on the same site) and a www server capable ofPHP3 support.You can download IMP and Horde from: http://www.horde.org/imp/.AtDotAtDot is GNU licensed and written in Perl.It has several modes of operation making itsuitable for a variety of www based email solutions (hotmail style providers, ISP s, etc.).Youcan download it from: http://www.nodomainname.net/software/atdot/.CommercialDmailWebhttp://netwinsite.com/dmailweb/index.htmWebImaphttp://netwinsite.com/webimap/index.htm75DNSBindDNS is an extremely important service for IP networks, I would not hesitate to say probablythe MOST important network service (without no-one can find anything).It also requiresconnections coming in from the outside world, and due to the nature and structure of DNS theinformation DNS servers claim to have may not be true.The main provider of DNS serversoftware (named, the de facto standard) is currently looking at adding a form of DNSinformation authentication (basically using RSA to cyrptographically sign the data, proving itis 'true').Most distributions are finally shipping bind 8.x, however none (to my knowledge) haveshipped it setup for non root, chrooted use by default.Making the switch is easy however:-uspecifies which UID bind will switch to once it is bound to port 53 (I like to use a user called'named' with no login permissions, similar to 'nobody').-gspecifies which GID bind will switch to once it is bound to port 53 (I like to use a groupcalled 'named', similar to 'nobody').-tspecifies the directory that bind will chroot itself to once started./home/named is a good bet,in this directory you should place all the libraries and config files bind will require.An even easier way of running bind chroot'ed is to download the bind-chroot package,available as a contrib package for most distributions, and install it.Before installation you willneed a user and group called named (which is what the bind server changes it UID/GID to),simply use groupadd and useradd to create the user/group.Some packages uses holelogd tolog bind information to /var/log/messages (as bind would normally do), if this isn t availableyou will have to install it be hand which is a chore.In addition to this the defaultconfiguration file for bind is usually setup securely (i.e.you cannot query bind for the versioninformation).Another aspect of bind is the information it contains about your network(s).When a personqueries a DNS server for information they typically send a small request for one piece ofinformation, i.e.: what is the IP address for www.seifried.org? And there are domain transfers,where a DNS server requests all the information for say seifried.org, and grabs it and can thenmake it available to other (in the case of a secondary DNS server).This is potentially verydangerous, it can be as or more dangerous then shipping a company phone directory toanyone that calls up and asks for it.Bind version 4 didn't really have much security, you couldlimit transfers to certain server, but not selectively enough to be truly useful.This has changedin Bind 8, documentation is available at http://www.isc.org/bind.html.To make a long storyshort in Bind 8 there are global settings and most of these can also be applied on a per domainbasis.You can easily restrict transfers AND queries, log queries, set maximum data sizes, andso on.Remember, when restricting zone queries you must secure ALL name servers (masterand the secondaries), as you can transfer zones from a secondary just as easily as a master [ Pobierz całość w formacie PDF ]