Securing DNS zones
What is the best way to secure dns zones?
If someone breaches access to one server they have access to all dns zones and can easily delete them all or point them somewhere else.
Is it possible to protect them with:
chattr +i /var/named/*
Are there anyother ways to protect them?
OMG DUDE, you claim to be a security expert and you ask all these stupid questions relating to simple security stuff.
Besides if someone gains root access to your server, whats to stop them from chattr -i them? Nothing at all.
Last edited by StevenC; 10-05-2004 at 08:41 PM.
Rack911.com - Competent Server Administration
Server Security - Administration - Managed Servers - Optimization - High Traffic Clusters
yeah chattr +i them.. yeah thats a good thing..
then what happens to cpanel when it needs to edit or add new ones yeah.. good thing...
NOT
It would be possible to make cpanel chattr -i them and chattr +i after work is done by modifying
/usr/local/cpanel/whostmgr/bin/dnsadmin
Rack911.com - Competent Server Administration
Server Security - Administration - Managed Servers - Optimization - High Traffic Clusters
oh well see I didnt know...
how many times do you need to change a sites ip?Originally Posted by Sheldon
chattr would not prevent you form adding new ones.
This defeats the purpose of chattr +i'ing them in the first place.
DNS zones arent something that regularly changes.
How could the chattr -i all files on my dns server remotely from one of my other servers? If you can do that you truely are THEE expert, you know more than any hacker and any linux expert in the world.
umm... he said root access on your server.. he didn't say anything about doing remotely, I don't know where you got that.
I do find it odd that a supposed 'security expert' is asking basic security questions on forums.
Ye, thats a good one now isn't it?
Obviously my dns server (where the dns zones are that Im chattr -i'ing) is seperate machine.
Appearently the wording of my question isnt obvious and has confused a couple "security experts" here.
Let me rephase the first sentence for those "security experts" that are a little slow.
If someone breaches access to one server, other than my primary DNS server and my secondary DNS server which only has a couple ports open and is so secure that Im not worried about someone hacking, they have access to all dns zones and can easily delete them all or point them somewhere else.
I found it pretty funny, he seriously claims to know security???
Obviously cpanel has overlooked this serious security issue, so if I'm securing holes that there entire staff, including there own top security expert, left open, I'd say I'm at the expert level. I have one way of doing it and want to know if there are any others or see if anyone else has ideas that the can contribute.
Abeforman you are a complete idiot. I said what if they gain root access to your server. Lets say a exploit for sshd or bind is released. They exploit it and gain root access, they then can chattr -i them.
my statement about this
Which you are to thick to understand. WHen ever you add a new domain it will not be chattr +i, that will chattr +i them after they are added. It will also unchattr the domain if you need to change the ip and chattr +i it again once it is done modifying.It would be possible to make cpanel chattr -i them and chattr +i after work is done by modifying
/usr/local/cpanel/whostmgr/bin/dnsadmin
You are the one faking being a security expert. Do i need to bring up the threads again where you were hacked and asking for help on how to cleanup/secure less then 1 month ago?
Rack911.com - Competent Server Administration
Server Security - Administration - Managed Servers - Optimization - High Traffic Clusters
LinkBack URL
About LinkBacks
Reply With Quote