From owner-freebsd-security Fri Jul 5 13: 7:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5954637B400 for ; Fri, 5 Jul 2002 13:07:07 -0700 (PDT) Received: from hotmail.com (f120.law11.hotmail.com [64.4.17.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2AF643E09 for ; Fri, 5 Jul 2002 13:07:06 -0700 (PDT) (envelope-from kimokasawa@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 5 Jul 2002 13:07:06 -0700 Received: from 152.75.99.55 by lw11fd.law11.hotmail.msn.com with HTTP; Fri, 05 Jul 2002 20:07:06 GMT X-Originating-IP: [152.75.99.55] From: "Kim Okasawa" To: _@r4k.net Cc: freebsd-security@freebsd.org Subject: Re: Any security issues with root's cron job? Date: Sat, 06 Jul 2002 05:07:06 +0900 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 05 Jul 2002 20:07:06.0893 (UTC) FILETIME=[899B13D0:01C2245F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >From: Stephanie Wehner <_@r4k.net> >To: Kim Okasawa >Subject: Re: Any security issues with root's cron job? >Date: Wed, 3 Jul 2002 16:48:37 +0200 > >Hi Kim, > > > Can anyone think of any potential security risks to such practice? > >Any suggestions and comments are greatly appreciated. Thank you! > >Not from the cronjob directly, however why would you want to change >your ipfw rule set according to time ? > >What I would check in this case is how your machine keeps time, >eg it must be rather accurate. Also, by getting timing information >from a remote ntp server for example would then mean you place your >firewall rules pretty much into their hands. > Hi Stephenie: Good thinking. You are absolutely right! The time should be rather accurate in order for this to function correctly. How about letting the server to run its ntp service? Clients who want to access to the server would have to sync with it if necessary. But this means that the firewall needs to open the ntp port and may create other problems. What I want is to create a virtual timed vault that only allow the world to access to certain services within a specific period of time. In my case, some services/ports don't need to be available to the public from 8PM-8AM. Closing those ports may mean less troubles. Any suggestion on how to deal with the ntp problem? Thanks. Best Regards, Kim _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message