[TriLUG] Changing Red Hat security settings

John Berninger johnw at berningeronline.net
Wed Mar 2 16:41:30 EST 2005 

Some duplication of previous responses but here goes...

On Wed, 02 Mar 2005, William Sutton wrote:

> >         RHEL 2.1 is based on RHL 7.2, so if you want vsftpd, you'd
> > likely have to roll your own.
> 
> Nice...Was there a reason for doing this other than the dependency hell 
> that seemed to be part of RH8.x and RH9?
        No, just timing.  RHEL 2.1 was released just after RHL 7.2, RHEL
3 wasn't release ready until after RHL 9 was out, so RHEL 2.1 is a 7.2
base, 3 is a 9 base.

> > > 3.  Not related directly:  Which is preferable?  vsftpd or wu-ftpd?  If 
> > > vsftpd, where can I get an rpm that will work on ES 2.1?
> >         vsftpd is way more secure, but <support drone>it's not supported
> > on RHEL 2.1</drone>.
> 
> figures...
        Reasoning is same as above.

> ok, some checking:
> 
> # rpm -qa |grep -i 'wu-ftp'
> wu-ftpd-2.6.1-20
> 
> # chkconfig --list  |grep -i ftp
>         wu-ftpd:        on
> 
> # service wu-ftpd status
> wu-ftpd: unrecognized service
        Expected - as was pointed out, wu-ftpd is a xinetd subservice,
thus why you have to restart xinetd to restart wu-ftpd.

> # iptables -L
> /lib/modules/2.4.9-e.12/kernel/net/ipv4/netfilter/ip_tables.o: 
> init_module: Device or resource busy
> Hint: insmod errors can be caused by incorrect module parameters, 
> including invalid IO or IRQ parameters
> /lib/modules/2.4.9-e.12/kernel/net/ipv4/netfilter/ip_tables.o: insmod 
> /lib/modules/2.4.9-e.12/kernel/net/ipv4/netfilter/ip_tables.o failed
> /lib/modules/2.4.9-e.12/kernel/net/ipv4/netfilter/ip_tables.o: insmod 
> ip_tables failed
> iptables v1.2.5: can't initialize iptables table `filter': iptables who? 
> (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
        You're in deep shit.  The messages about not seeing iptables
modules are okay, but e.12 is known to have multiple data corruptors.
It is probably munching on your data as I write this.  Upgrade the
kernel to something post-e.49 as soon as you can.  After you've done
that, check "ipchains -L", but I doubt you have any firewall rules
active.  Also, just to be on the safe side, "chkconfig gssftp off ;
service xinetd restart" as GSSFTP will sometimes get started
automatically - that's bitten a number of people.

> All sounds very ominous.  Perhaps I should consider bumping this up to RH 
> ES 3.something?
        Nothing ominous aside from the e.12 kernel.  You should be fine
on 2.1 with a newer kernel.

-- 
John Berninger
                                                                                
GPG Key ID: A8C1D45C
        Fingerprint: B1BB 90CB 5314 3113 CF22  66AE 822D 42A8 A8C1 D45C

Ita erat quando hic adveni.
--

More information about the TriLUG mailing list