Date: Fri, 5 Jul 2002 16:19:34 -0400 From: Brian Reichert <reichert@numachi.com> To: Kim Okasawa <kimokasawa@hotmail.com> Cc: _@r4k.net, freebsd-security@freebsd.org Subject: Re: Any security issues with root's cron job? Message-ID: <20020705161934.E259@numachi.com> In-Reply-To: <F1208b12VqtpbGUyLCj00007ec6@hotmail.com>; from kimokasawa@hotmail.com on Sat, Jul 06, 2002 at 05:07:06AM %2B0900 References: <F1208b12VqtpbGUyLCj00007ec6@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 06, 2002 at 05:07:06AM +0900, Kim Okasawa wrote: > >From: Stephanie Wehner <_@r4k.net> > >To: Kim Okasawa <kimokasawa@hotmail.com> > >Subject: Re: Any security issues with root's cron job? > >Date: Wed, 3 Jul 2002 16:48:37 +0200 > > > >Hi Kim, > > > > > Can anyone think of any potential security risks to such practice? > > >Any suggestions and comments are greatly appreciated. Thank you! > > > >Not from the cronjob directly, however why would you want to change > >your ipfw rule set according to time ? > > > >What I would check in this case is how your machine keeps time, > >eg it must be rather accurate. Also, by getting timing information > >from a remote ntp server for example would then mean you place your > >firewall rules pretty much into their hands. > > > > Hi Stephenie: > > Good thinking. You are absolutely right! The time should be rather > accurate in order for this to function correctly. How about letting the > server to run its ntp service? Clients who want to access to the server > would have to sync with it if necessary. But this means that the firewall > needs to open the ntp port and may create other problems. You don't _need_ a NTP server on your vault if you have access to one that you trust. I feel that most institutions should set up a peered set of stratum-3 servers, out of hand, and sync internal hosts to those; this cuts down on network traffic, if nothing else. (You could even force them to use your time server(s) via divert.) If your vault is to merely be an NTP client, then it will poll your time server(s); you can firewall out spoofed replies. If your time server is also to be a NTP server, then it will need to be able to serve requests from your LAN. These are both easily locked down via ipfw. > > What I want is to create a virtual timed vault that only allow the world to > access to certain services within a specific period of time. In my case, > some services/ports don't need to be available to the public from 8PM-8AM. > Closing those ports may mean less troubles. > > Any suggestion on how to deal with the ntp problem? Thanks. > > Best Regards, > Kim > > > _________________________________________________________________ > MSN Photos is the easiest way to share and print your photos: > http://photos.msn.com/support/worldwide.aspx > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Brian 'you Bastard' Reichert <reichert@numachi.com> 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020705161934.E259>