FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 08-02-2010, 07:28 PM
seth vidal
 
Default outgoing port block on fedorapeople.org

Hi,
Mike noticed that someone had setup an irc bot running on
fedorapeople.org talking to an irc channel that was not remotely fedora
related. Even if it had been fedora-related it's still not something we
want running fedorapeople.org. I put in an outgoing port reject to
things bound to 6667. I'll work on a slightly better option soon but I
wanted to let everyone know about this and ask if there were any other
suggestions on how to best block this sort of thing.

Thanks,
-sv


_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-02-2010, 07:38 PM
Tristan Santore
 
Default outgoing port block on fedorapeople.org

On 02/08/10 20:28, seth vidal wrote:
> Hi,
> Mike noticed that someone had setup an irc bot running on
> fedorapeople.org talking to an irc channel that was not remotely fedora
> related. Even if it had been fedora-related it's still not something we
> want running fedorapeople.org. I put in an outgoing port reject to
> things bound to 6667. I'll work on a slightly better option soon but I
> wanted to let everyone know about this and ask if there were any other
> suggestions on how to best block this sort of thing.
>
> Thanks,
> -sv
>
>
> _______________________________________________
> infrastructure mailing list
> infrastructure@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Seth,
there is only one option. Ban the person from fedorapeople, or at least
give them a warning. So many IRCDs have other ports open, so much so
that the DC block the DC I am in, was removed.

There should be a warning on the ssh login, giving a link maybe, as to
what is acceptable on people, if people abuse their privileges they get
suspended, until they explain why and what they were doing.

Regards,
Tristan

--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore@fedoraproject.org
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-02-2010, 07:43 PM
Dennis Gilmore
 
Default outgoing port block on fedorapeople.org

On Monday, August 02, 2010 02:28:22 pm seth vidal wrote:
> Hi,
> Mike
noticed that someone had setup an irc bot running on
> fedorapeople.org
talking to an irc channel that was not remotely fedora
> related. Even if it
had been fedora-related it's still not something we
> want running
fedorapeople.org. I put in an outgoing port reject to
> things bound to
6667. I'll work on a slightly better option soon but I
> wanted to let
everyone know about this and ask if there were any other
> suggestions on
how to best block this sort of thing.
>
> Thanks,
> -sv

for fedorapeople i
think its fine to block all outbound communications except for those related
to established inbound connections on the ports of services we run.

Dennis
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-02-2010, 07:51 PM
David Nalley
 
Default outgoing port block on fedorapeople.org

On Mon, Aug 2, 2010 at 3:43 PM, Dennis Gilmore <dennis@ausil.us> wrote:
> On Monday, August 02, 2010 02:28:22 pm seth vidal wrote:
>> Hi,
>> *Mike
> noticed that someone had setup an irc bot running on
>> fedorapeople.org
> talking to an irc channel that was not remotely fedora
>> related. Even if it
> had been fedora-related it's still not something we
>> want running
> fedorapeople.org. I put in an outgoing port reject to
>> things bound to
> 6667. I'll work on a slightly better option soon but I
>> wanted to let
> everyone know about this and ask if there were any other
>> suggestions on
> how to best block this sort of thing.
>>
>> Thanks,
>> -sv
>
> for fedorapeople i
> think its fine to block all outbound communications except for those related
> to established inbound connections on the ports of services we run.
>
> Dennis

+1 - given how freely access is granted it only makes sense.
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-02-2010, 08:07 PM
Ian Weller
 
Default outgoing port block on fedorapeople.org

On Mon, Aug 02, 2010 at 08:38:39PM +0100, Tristan Santore wrote:
> there is only one option. Ban the person from fedorapeople, or at least
> give them a warning. So many IRCDs have other ports open, so much so
> that the DC block the DC I am in, was removed.

That doesn't solve the problem of other users possibly doing the same
thing.

--
Ian Weller <ian@ianweller.org>
Where open source multiplies: http://opensource.com
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-02-2010, 08:10 PM
Matthew Galgoci
 
Default outgoing port block on fedorapeople.org

> Date: Mon, 2 Aug 2010 16:07:10 -0400
> From: Ian Weller <ian@ianweller.org>
> Reply-To: Fedora Infrastructure <infrastructure@lists.fedoraproject.org>
> To: infrastructure@lists.fedoraproject.org
> Subject: Re: outgoing port block on fedorapeople.org
>
> On Mon, Aug 02, 2010 at 08:38:39PM +0100, Tristan Santore wrote:
> > there is only one option. Ban the person from fedorapeople, or at least
> > give them a warning. So many IRCDs have other ports open, so much so
> > that the DC block the DC I am in, was removed.
>
> That doesn't solve the problem of other users possibly doing the same
> thing.

I can fix the glitch on the network level if deemed appropriate, but it
is ultimately not my call.

--
Matthew Galgoci
Network Operations
Red Hat, Inc
919.754.3700 x43155
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-02-2010, 08:14 PM
seth vidal
 
Default outgoing port block on fedorapeople.org

On Mon, 2010-08-02 at 16:10 -0400, Matthew Galgoci wrote:
> > Date: Mon, 2 Aug 2010 16:07:10 -0400
> > From: Ian Weller <ian@ianweller.org>
> > Reply-To: Fedora Infrastructure <infrastructure@lists.fedoraproject.org>
> > To: infrastructure@lists.fedoraproject.org
> > Subject: Re: outgoing port block on fedorapeople.org
> >
> > On Mon, Aug 02, 2010 at 08:38:39PM +0100, Tristan Santore wrote:
> > > there is only one option. Ban the person from fedorapeople, or at least
> > > give them a warning. So many IRCDs have other ports open, so much so
> > > that the DC block the DC I am in, was removed.
> >
> > That doesn't solve the problem of other users possibly doing the same
> > thing.
>
> I can fix the glitch on the network level if deemed appropriate, but it
> is ultimately not my call.

No, you can't b/c the machine isn't on your network.

thanks, though.
-sv


_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-02-2010, 08:22 PM
Matthew Galgoci
 
Default outgoing port block on fedorapeople.org

> > > > there is only one option. Ban the person from fedorapeople, or at least
> > > > give them a warning. So many IRCDs have other ports open, so much so
> > > > that the DC block the DC I am in, was removed.
> > >
> > > That doesn't solve the problem of other users possibly doing the same
> > > thing.
> >
> > I can fix the glitch on the network level if deemed appropriate, but it
> > is ultimately not my call.
>
> No, you can't b/c the machine isn't on your network.
>
> thanks, though.

Ah ok. Well we can do it in PHX2 if deemed appropriate.

--
Matthew Galgoci
Network Operations
Red Hat, Inc
919.754.3700 x43155
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-03-2010, 06:06 AM
Nicu Buculei
 
Default outgoing port block on fedorapeople.org

On 08/02/2010 11:07 PM, Ian Weller wrote:
> On Mon, Aug 02, 2010 at 08:38:39PM +0100, Tristan Santore wrote:
>> there is only one option. Ban the person from fedorapeople, or at least
>> give them a warning. So many IRCDs have other ports open, so much so
>> that the DC block the DC I am in, was removed.
>
> That doesn't solve the problem of other users possibly doing the same
> thing.

I think it solves the problem, since this is not a technical problem but
a social problem.

--
nicu :: http://nicubunu.ro :: http://nicubunu.blogspot.com//
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-03-2010, 10:04 AM
Jeroen van Meeuwen
 
Default outgoing port block on fedorapeople.org

seth vidal wrote:
> Hi,
> Mike noticed that someone had setup an irc bot running on
> fedorapeople.org talking to an irc channel that was not remotely fedora
> related. Even if it had been fedora-related it's still not something we
> want running fedorapeople.org. I put in an outgoing port reject to
> things bound to 6667. I'll work on a slightly better option soon but I
> wanted to let everyone know about this and ask if there were any other
> suggestions on how to best block this sort of thing.
>

Is any outbound NEW connection supposed to be used from fedorapeople.org
accept maybe for a few named sockets on trusted remote hosts?

If not, I suppose you could lock it down for most of the 65535-give-or-take
ports, with few exceptions for like the Puppet master (but only from/by user
root) and the DNS servers and such and so forth?

Locking it down still sounds fair enough to me, to say the least.

-- Jeroen
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 

Thread Tools




All times are GMT. The time now is 06:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org