[lug] Securing Fetchmail

D. Stimits stimits at idcomm.com
Tue Aug 7 12:11:28 MDT 2001 

David wrote:
> 
> I am trying to secure my machine; but I want to minimise the amount of
> reading and studying I have to do.
> 
> Aside: This kind of approach (to Linux) has been discussed recently.
>        My excuse is that I have lots of work to do *using* Linux;
>        consequently my time for *configuring* Linux is limited.  Also,
>        of course, there will be others reading this, and any replies,
>        who will benefit as much as I.
> 
> So, I have an elementary firewall (courtesy RedHat) and I think that I
> understand how ipchains work.  But I know that there are gotchas, so
> how secure is it?
> 
>        # Firewall configuration written by lokkit
>        # Manual customization of this file is not recommended.
>        # Note: ifup-post will punch the current nameservers through the
>        #       firewall; such entries will *not* be listed here.
>        :input ACCEPT
>        :forward ACCEPT
>        :output ACCEPT
>        -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
>        -A input -s 216.17.128.1 53 -d 0/0 -p udp -j ACCEPT
>        -A input -s 216.17.128.2 53 -d 0/0 -p udp -j ACCEPT

The two lines above look suspicious to me. I assume you are wanting to
accept port 53 DNS queries. In that case, the source port is not
relevant, it is the destination port. Since this is input chain, I
assume these are your ISP's primary and secondary name servers, or
someone you want to access your local port 53. In which case it would be
more like:
 -A input -s 216.17.128.1/32 -d 0/0 53 -p udp -j ACCEPT
 -A input -s 216.17.128.2/32 -d 0/0 53 -p udp -j ACCEPT

It is also possible under large queries that DNS will try to use tcp/ip,
so udp getting in might not be enough at all times.

I could be wrong about that, probably someone else should comment. I'm
not sure about the part of "ifup-post will punch the current nameservers
through...".

You might also want to explicitly name interfaces, like -i ppp0 or -i
eth0.

D. Stimits, stimits at idcomm.com

>        -A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
>        -A input -s 0/0 -d 0/0 -p udp -j REJECT
> 
> I use telephone dialup to connect to my ISP, and I assume that that is
> reasonably secure, up until the moment when I am assigned an address.
> Then, I assume, my firewall gives me whatever protection it does
> against penetration of my machine via that address (hence the question
> above).
> 
> Next, I use fetchmail with a .fetchmailrc file.  So my ISP password is
> launched in the clear for the world to see.  So I started to read the
> man page for fetchmail.  Understanding all that is there, including
> understanding all the other things referred to will take me the rest
> of the week, at least.  I cannot do that, and I know that I need only
> a small part of what is there.  So I am doing this posting instead,
> hoping to bypass the eye-glazing stuff.
> 
> I thought that the -ssl option would do it for me, only to read that
> Raymond et al caution against it (!); for what is actually a very good
> reason: it does not provide protection against active attack.  Ssh
> tunnelling (whatever that is) is recommended instead.  Now I have
> started to use ssh (another "how secure is that?"), so it is working
> on my machine.  But the only information on how to do ssh tunnelling
> in the fetchmail man page is this:
> 
>        Here's  an  example configuration using ssh and the plugin
>        option.  The queries are made directly on  the  stdin  and
>        stdout  of  imapd  via ssh.  Note that in this setup, IMAP
>        authentication can be skipped.
> 
>        poll mailhost.net with proto imap:
>                plugin "ssh %h /usr/sbin/imapd" auth ssh;
>                        user esr is esr here
> 
> Well that looks pretty easy to type.  But the second line is a little
> tricky.  "Plugin" itself is ok, also the hostname parameter, but what
> is /usr/sbin/imapd?  I do not have one of those.
> 
> Also, why can IMAP (what is IMAP?) authentication be skipped?  Is it
> because ssh authentication is being used?
> 
> Perhaps the most important question is: What is going to happen if I
> use this command?  I.e., what is not there that I am assumed to know?
> 
> Actually, I think that I am getting the idea.  The tunnel is just the
> ssh connection and then fetchmail uses that connection - right?  So I
> am back to IMAP again (no man page for imap, so is this something that
> I need to rpm-in?)
> 
> Informative replies will be highly appreciated.  Security is an
> important topic, after all.  And it is true that a good number of
> people will benefit from such postings.
> 
> Thanks everyone.
> 
> dajo
> 
> P.S.  When I have got this going my next question is going to be "How
> do I secure my web browser - and, do I need to?" 8-)
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list