Daemon programs usually listen for Internet connections on well-known
ports (service numbers) since, after all, their purpose in life is to
provide services to the Internet. Some of the daemons, however, should
be accessible only from the inside of the server box they run in.
We put those daemons in a port range (45056-49151) that is firewalled
against Internet access. If you bring your own daemons that should not
be accessible from the Internet either you can put them in this port
range too. We would like to ask you, however, to start with
port number 45056 and go upwards from there, while we come from 49151
downwards. This way collisions in the future are unlikely.
Here is a list of what we allocated so far:
| 49146 | spamd |
| 49147 | innd |
| 49148 | mysqld |
| 49149 | httpd |
| 49150 | radiusd (auth) |
| 49151 | radiusd (acct) |
With 'innd' we mean its server port, not that for the reader processes which
you can certainly connect to from the Internet. 'httpd' is the Apache daemon.
Keep in mind here that there is a web accelerator in front of it, so
Apache itself runs on a protected port.
Services that do not run on a protected port, that is, those that have
to be accessible from the Internet, have their own means of fine-tunable
access control. Most use the standardized 'libwrap' mechanism, while
web orientend daemons (which have to deal with lots of connections over
time) like the accelerator (Squid) and the web server (Apache) have
their own access control list (ACL) mechanism built in. The central
config file for 'libwrap' is '/etc/hosts.allow'.
|
|
|
At times when you need to log into your server box but have no way
of doing so with encryption you normally would have to use 'telnet'
(or 'ftp' for file transfer) and risk that your password gets into
the wrong hands since it travels the Internet as plain text.
Another case where you should avoid entering your real password is
on someone elses computer. You cannot be certain that there is
no program in the background that logs your typing, possibly
implanted by a virus infection.
The solution for these scenarios is one-time passwords. It needs
preparation, though. You would have to print out a list of these
auto-generated passwords and have it with you when you need it,
in your wallet, for instance.
Once you did a successful login with a password from this list, it is
spent and you would cross it out on the list. Although password and
subsequent data still travel the Internet unprotected, the one-time
password is of no use to potential eavesdroppers since it would not
work a second time. Here is what you would have to do:
Log into your box over a secure channel, that is, SSH. Type
keyinit
Now enter the secret password you would like to use to get access
to the list of one-time passwords. This password is independent of
your user account password. Memorize the password.
The program responds with a message like this:
ID bigboss s/key is 99 sc66201
WENT PAT INCA FONT DUD HAN
FA06 4A79 C220 FE31
The first line shows the current sequence number (99) and the
seed (sc66201) you will also need for access to the list. If you
lose this data you can retrieve it with the command 'keyinfo'.
The next two lines show the one-time password(s) corresponding to
the sequence number 99. They are actually the same, but the first
variant is made of pronounceable English words, while the second one
is a hexadecimal representation. The latter is harder to type in
correctly, but it is shorter. Case is ignored for both variants.
Note that this password is the first on the list that is spent already.
In order to get a list of, for instance, five fresh one-time passwords
you would now type in
key -n 5 `keyinfo`
For convenience, we use 'keyinfo' here to fill in the two arguments
'key' requires (sequence number and seed). 'keyinfo' already returns
the right sequence number (98 in our example) for generating fresh
passwords. Enter the secret password you chose when the program asks
you about it.
Now it gives you a list of fresh one-time passwords, like this:
94: GOAD ABET LARK MALL FAN GLUM 8D88 F6AA DB51 2D1A
95: MIND WELL ARTS BOG BARR HAM BBDF 3939 8405 3231
96: HEFT FEET GIST SEEK ROE NEON 964F DE30 6C43 8786
97: LISA LOP GLOW NET FAN HART B064 B234 15C1 2D28
98: BAR FARM NOEL GIVE SNUG SALT 060F BF14 461E 0FAC
Again, there is the long, pronounceable and the short, hexadecimal
form. You can now use the password corresponding to the sequence
number 98 to log into your box. However, do not forget to strike
it out on the list.
Note that you always have to use the password with the highest
sequence number. This implies two things: The order is relevant,
that is, you cannot randomly pick a password from the list, and
you have to work that list backwards since the highest sequence
number comes last.
Once you spent all passwords, or if you want to start over for some
other reason, for instance if someone else got hold of the current
list, use 'keyinit' again. It resets the sequence number
to 99 (remember that this one is spent already) and gives you a new
seed for subsequent retrieval of the (newly generated) password list.
Hint: Before you later depend on it, use the
first password on the list to try out whether it actually works. For
instance, if you mistype the password for the 'key' command, it does not
complain but instead generates a list of different passwords that will
not match. You probably do not want to find this out only when you need
access badly!
|
|
|
We do daily backup snapshots of all server boxes.
In case you would like to go back to your latest backup because your box
is damaged beyond repair, or for whatever reason else, you can do this
yourself. Just create the file '/box/cfg/restore' and reboot, like this:
touch /box/cfg/restore
reboot
Note that you can do this only once, until a new
snapshot gets generated the next day. Also, reverting to a backup is final,
that is, you cannot go back to your previous current user container. So
please use this feature with care.
If you would like to make additional remote
backups, which we strongly advocate since important data should
not be kept at only one location,
we provide you with a powerful tool ('rsync') that actually syncs only
the differences between two filesystem hierarchies. 'rsync'
is available for most UNIX and UNIX-like platforms. By default it
uses an SSH connection to transmit the data encrypted. If you do not
have a suitable system available, we can offer you a second server
box (preferably in peer configuration, that is, on another machine)
where you can store your backups.
Note that you should take care of what you back up this way. For instance,
it is not a good idea to make backups of our base system, that is, files
that you use, but that actually do not "belong" to you. It will not hurt us,
but the unnecessary data volume is going to drive up your bill.
|
|
|
|
