can't access the computer from network

[jimp]

I just installed 2005 limited edition ppc on a g4 iMac, I have it running but I cant access

it from the network. I have the fire wall set to none, have sshd running,webmin running, but I keep getting access denied errors when I try to use webmin or ssh, I tried to ping the network address from my windows box and dropped 100% of the packets yet I can ping the windows box from the iMac. also I have httpd running and am getting the default apache mysql advx.org page when I try so that is working. any ideas? I know that sshd and webmin wern't installed with everything else, I used rpmdrake to install them afterwards.

Thanks

[jboy]

Just a stab in the dark, but what is in your /etc/hosts.allow?

 

You might want to put something like this in there:

 

ALL:<ip of your Win machine>:ALLOW

 

or

 

sshd:<ip of your Win machine>:ALLOW

[jimp]

well it was a pretty good stab !!

 

I also had a look in hosts.deny it has a line

ALL:ALL EXCEPT 127.0.0.1:DENY

so I assume I can comment this line out and then lt would work. what about entire subnets? by service for any service?

 

Thanks

[jboy]

I also had a look in hosts.deny it has a line

ALL:ALL EXCEPT 127.0.0.1:DENY

so I assume I can comment this line out and then lt would work. what about entire subnets? by service for any service?

Leave the /etc/hosts.deny file as is, that line is very important. The rules are that (1) access is granted to anything that's matched in /etc/hosts.allow, (2) then anything's that matched in /etc/hosts/deny is denied, (3) otherwise access is granted. In konqueror, type: man:/hosts.deny for more details. So typically you want to explicitly specify what you want allowed in /etc/hosts.allow, but deny everything else (except localhost) in /etc/hosts.deny.

 

In both /etc/hosts.allow and /etc/hosts.deny, you can use wildcards and netmasks (e.g., 192.168.1.0/255.255.255.0). This is explained in the hosts.allow man page. The use of wildcards, such as 192.168.1.* or 102.168.1.15?, is supported in LE2005, not sure about earlier versions. I seem to remember that the wildcards didn't work on my 10.1 install (but it might have been a different distro, memory fails).

Edited August 13, 2005 by jboy

[jimp]

ok one more question, This box will eventually be behind a firewall on the dmz because it is a web/mail server so i guess i should just put the gateway address in the allow file and anything the firewall allows will be sent thru that so then it will be accepted? doesn't seem like I've ever had to mess with these files on any other distro, just tell it no firewall and let her rip since I am firewalling on another machine. And thanks once more.

[jboy]

When you installed, there was a security level setting option, ranging from Poor to Paranoid. The default for LE2005 is High, I believe. Different distros may have different defaults, so that's may explain why you didn't have to mess with this on other distros.

 

You can see all these security configurable options by invoking the draksec wizard: /usr/sbin/draksec

 

Note the several tabs and their options. It's not very well documented but you can read a little bit about it with /usr/share/doc/mandrake/en/Starter/Starter.html/draksec.html. It you don't have that file, download the mandrake-doc-Starter-en-10.2-2mdk package.

 

Now, I'm not a network specialist so I'm going to bow out at this point. I think you're on the right track but perhaps someone here with actual experience in setting up a DMZ may wish to provide some further comments on best security and configuration practices for this situation.

 

EDIT: also note the Help button on the draksec wizard tabs.

Edited August 13, 2005 by jboy