Hi, Mike noticed that someone had setup an irc bot running on fedorapeople.org talking to an irc channel that was not remotely fedora related. Even if it had been fedora-related it's still not something we want running fedorapeople.org. I put in an outgoing port reject to things bound to 6667. I'll work on a slightly better option soon but I wanted to let everyone know about this and ask if there were any other suggestions on how to best block this sort of thing.
Thanks, -sv
On 02/08/10 20:28, seth vidal wrote:
Hi, Mike noticed that someone had setup an irc bot running on fedorapeople.org talking to an irc channel that was not remotely fedora related. Even if it had been fedora-related it's still not something we want running fedorapeople.org. I put in an outgoing port reject to things bound to 6667. I'll work on a slightly better option soon but I wanted to let everyone know about this and ask if there were any other suggestions on how to best block this sort of thing.
Thanks, -sv
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Seth, there is only one option. Ban the person from fedorapeople, or at least give them a warning. So many IRCDs have other ports open, so much so that the DC block the DC I am in, was removed.
There should be a warning on the ssh login, giving a link maybe, as to what is acceptable on people, if people abuse their privileges they get suspended, until they explain why and what they were doing.
Regards, Tristan
On Mon, Aug 02, 2010 at 08:38:39PM +0100, Tristan Santore wrote:
there is only one option. Ban the person from fedorapeople, or at least give them a warning. So many IRCDs have other ports open, so much so that the DC block the DC I am in, was removed.
That doesn't solve the problem of other users possibly doing the same thing.
Date: Mon, 2 Aug 2010 16:07:10 -0400 From: Ian Weller ian@ianweller.org Reply-To: Fedora Infrastructure infrastructure@lists.fedoraproject.org To: infrastructure@lists.fedoraproject.org Subject: Re: outgoing port block on fedorapeople.org
On Mon, Aug 02, 2010 at 08:38:39PM +0100, Tristan Santore wrote:
there is only one option. Ban the person from fedorapeople, or at least give them a warning. So many IRCDs have other ports open, so much so that the DC block the DC I am in, was removed.
That doesn't solve the problem of other users possibly doing the same thing.
I can fix the glitch on the network level if deemed appropriate, but it is ultimately not my call.
On Mon, 2010-08-02 at 16:10 -0400, Matthew Galgoci wrote:
Date: Mon, 2 Aug 2010 16:07:10 -0400 From: Ian Weller ian@ianweller.org Reply-To: Fedora Infrastructure infrastructure@lists.fedoraproject.org To: infrastructure@lists.fedoraproject.org Subject: Re: outgoing port block on fedorapeople.org
On Mon, Aug 02, 2010 at 08:38:39PM +0100, Tristan Santore wrote:
there is only one option. Ban the person from fedorapeople, or at least give them a warning. So many IRCDs have other ports open, so much so that the DC block the DC I am in, was removed.
That doesn't solve the problem of other users possibly doing the same thing.
I can fix the glitch on the network level if deemed appropriate, but it is ultimately not my call.
No, you can't b/c the machine isn't on your network.
thanks, though. -sv
there is only one option. Ban the person from fedorapeople, or at least give them a warning. So many IRCDs have other ports open, so much so that the DC block the DC I am in, was removed.
That doesn't solve the problem of other users possibly doing the same thing.
I can fix the glitch on the network level if deemed appropriate, but it is ultimately not my call.
No, you can't b/c the machine isn't on your network.
thanks, though.
Ah ok. Well we can do it in PHX2 if deemed appropriate.
On 08/02/2010 11:07 PM, Ian Weller wrote:
On Mon, Aug 02, 2010 at 08:38:39PM +0100, Tristan Santore wrote:
there is only one option. Ban the person from fedorapeople, or at least give them a warning. So many IRCDs have other ports open, so much so that the DC block the DC I am in, was removed.
That doesn't solve the problem of other users possibly doing the same thing.
I think it solves the problem, since this is not a technical problem but a social problem.
On Monday, August 02, 2010 02:28:22 pm seth vidal wrote:
Hi, Mike
noticed that someone had setup an irc bot running on
fedorapeople.org
talking to an irc channel that was not remotely fedora
related. Even if it
had been fedora-related it's still not something we
want running
fedorapeople.org. I put in an outgoing port reject to
things bound to
6667. I'll work on a slightly better option soon but I
wanted to let
everyone know about this and ask if there were any other
suggestions on
how to best block this sort of thing.
Thanks, -sv
for fedorapeople i think its fine to block all outbound communications except for those related to established inbound connections on the ports of services we run.
Dennis
On Mon, Aug 2, 2010 at 3:43 PM, Dennis Gilmore dennis@ausil.us wrote:
On Monday, August 02, 2010 02:28:22 pm seth vidal wrote:
Hi, Mike
noticed that someone had setup an irc bot running on
fedorapeople.org
talking to an irc channel that was not remotely fedora
related. Even if it
had been fedora-related it's still not something we
want running
fedorapeople.org. I put in an outgoing port reject to
things bound to
- I'll work on a slightly better option soon but I
wanted to let
everyone know about this and ask if there were any other
suggestions on
how to best block this sort of thing.
Thanks, -sv
for fedorapeople i think its fine to block all outbound communications except for those related to established inbound connections on the ports of services we run.
Dennis
+1 - given how freely access is granted it only makes sense.
seth vidal wrote:
Hi, Mike noticed that someone had setup an irc bot running on fedorapeople.org talking to an irc channel that was not remotely fedora related. Even if it had been fedora-related it's still not something we want running fedorapeople.org. I put in an outgoing port reject to things bound to 6667. I'll work on a slightly better option soon but I wanted to let everyone know about this and ask if there were any other suggestions on how to best block this sort of thing.
Is any outbound NEW connection supposed to be used from fedorapeople.org accept maybe for a few named sockets on trusted remote hosts?
If not, I suppose you could lock it down for most of the 65535-give-or-take ports, with few exceptions for like the Puppet master (but only from/by user root) and the DNS servers and such and so forth?
Locking it down still sounds fair enough to me, to say the least.
-- Jeroen
"JvM" == Jeroen van Meeuwen kanarip@kanarip.com writes:
JvM> Is any outbound NEW connection supposed to be used from JvM> fedorapeople.org accept maybe for a few named sockets on trusted JvM> remote hosts?
Well, some might think it reasonable to pull content to fedorapeople (wget, scp run on fedorapeople pulling from remote sites) instead of forcing content to be pushed. Which would argue for outbound http and ssh ports, I guess. Should be easy to just say no to that kind of thing, though, if the intent is to lock it down.
I also wonder if mounting user-writable filesystems as noexec would be reasonable.
- J<
On Tue, 2010-08-03 at 06:20 -0500, Jason L Tibbitts III wrote:
"JvM" == Jeroen van Meeuwen kanarip@kanarip.com writes:
JvM> Is any outbound NEW connection supposed to be used from JvM> fedorapeople.org accept maybe for a few named sockets on trusted JvM> remote hosts?
Well, some might think it reasonable to pull content to fedorapeople (wget, scp run on fedorapeople pulling from remote sites) instead of forcing content to be pushed. Which would argue for outbound http and ssh ports, I guess. Should be easy to just say no to that kind of thing, though, if the intent is to lock it down.
I also wonder if mounting user-writable filesystems as noexec would be reasonable.
they are noexec - the user uses a python based irc bot and just ran it using: python scriptname.
-sv
On Tue, 3 Aug 2010, seth vidal wrote:
On Tue, 2010-08-03 at 06:20 -0500, Jason L Tibbitts III wrote:
> "JvM" == Jeroen van Meeuwen kanarip@kanarip.com writes:
JvM> Is any outbound NEW connection supposed to be used from JvM> fedorapeople.org accept maybe for a few named sockets on trusted JvM> remote hosts?
Well, some might think it reasonable to pull content to fedorapeople (wget, scp run on fedorapeople pulling from remote sites) instead of forcing content to be pushed. Which would argue for outbound http and ssh ports, I guess. Should be easy to just say no to that kind of thing, though, if the intent is to lock it down.
I also wonder if mounting user-writable filesystems as noexec would be reasonable.
they are noexec - the user uses a python based irc bot and just ran it using: python scriptname.
I wonder how much pain chmod o-x /usr/bin/python would cause :)
-Mike
On Tue, 2010-08-03 at 08:42 -0500, Mike McGrath wrote:
On Tue, 3 Aug 2010, seth vidal wrote:
On Tue, 2010-08-03 at 06:20 -0500, Jason L Tibbitts III wrote:
>> "JvM" == Jeroen van Meeuwen kanarip@kanarip.com writes:
JvM> Is any outbound NEW connection supposed to be used from JvM> fedorapeople.org accept maybe for a few named sockets on trusted JvM> remote hosts?
Well, some might think it reasonable to pull content to fedorapeople (wget, scp run on fedorapeople pulling from remote sites) instead of forcing content to be pushed. Which would argue for outbound http and ssh ports, I guess. Should be easy to just say no to that kind of thing, though, if the intent is to lock it down.
I also wonder if mounting user-writable filesystems as noexec would be reasonable.
they are noexec - the user uses a python based irc bot and just ran it using: python scriptname.
I wonder how much pain chmod o-x /usr/bin/python would cause :)
would newrepo work still work?
-sv
On Mon, Aug 2, 2010 at 13:28, seth vidal skvidal@fedoraproject.org wrote:
Hi, Mike noticed that someone had setup an irc bot running on fedorapeople.org talking to an irc channel that was not remotely fedora related. Even if it had been fedora-related it's still not something we want running fedorapeople.org. I put in an outgoing port reject to things bound to 6667. I'll work on a slightly better option soon but I wanted to let everyone know about this and ask if there were any other suggestions on how to best block this sort of thing.
Thanks, -sv
Coming from a different background but dealing with summer students we usually put our people systems on a limited outbound network. We knew that 80,443,22,53 were going to happen so we allowed those through a proxy and everything else got logged and checked daily. Way overkill probably but the wonders of iptables tables allows for all kinds of local magic :). [Or a good selinux policy].
Personally I was thinking policy wise we MOTD that this server is not meant for running services or daemons off of and the definition of such things is up to the administrators and not the users :).
On Tue, 2010-08-03 at 13:10 -0600, Stephen John Smoogen wrote:
On Mon, Aug 2, 2010 at 13:28, seth vidal skvidal@fedoraproject.org wrote:
Hi, Mike noticed that someone had setup an irc bot running on fedorapeople.org talking to an irc channel that was not remotely fedora related. Even if it had been fedora-related it's still not something we want running fedorapeople.org. I put in an outgoing port reject to things bound to 6667. I'll work on a slightly better option soon but I wanted to let everyone know about this and ask if there were any other suggestions on how to best block this sort of thing.
Thanks, -sv
Coming from a different background but dealing with summer students we usually put our people systems on a limited outbound network. We knew that 80,443,22,53 were going to happen so we allowed those through a proxy and everything else got logged and checked daily. Way overkill probably but the wonders of iptables tables allows for all kinds of local magic :). [Or a good selinux policy].
Personally I was thinking policy wise we MOTD that this server is not meant for running services or daemons off of and the definition of such things is up to the administrators and not the users :).
i like the idea of changing the MOTD, too.
-sv
infrastructure@lists.fedoraproject.org
-
David Nalley -
Dennis Gilmore -
Ian Weller -
Jason L Tibbitts III -
Jeroen van Meeuwen -
Matthew Galgoci -
Mike McGrath -
Nicu Buculei -
Seth Vidal -
Stephen John Smoogen -
Tristan Santore