 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Johannes Ullrich <jullrich at euclidian.com> wrote: > Thomas Leonard <ike6116 at mac.com> wrote: >> The other guy who knows about Linux >> said he wanted it chroot jail-ed and configurable by webmin if >> possible. > >[See] > http://www.cymru.com/Documents/secure-bind-template.html > and the chroot howto: > > http://en.tldp.org/HOWTO/Chroot-BIND-HOWTO.html For what it's worth, I took a look at the Chroot howto noted above and confirmed that Suse 8.2's startup scripts follow the recommendations contained in this howto. You get a chroot jail "out of the box". Creating a caching-only name server, you won't need a lot of the items in that template. But it's good to protect the DNS config with its own ACL limiting access to onsite users only, and additionally to block ports 53 and 953 at the firewall (unless you've got another DNS server that has to be open to the rest of the 'net). Bind9 is pretty secure but you do have to watch for CERT advisories. Occasional security holes are found in it and you have to stay on top of upgrades. Probably the most tedious part of your project will be updating client systems to use the new server IP address, unless everything is already getting its DNS server info via DHCP... -rich
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
