Initial Lockdown of a Joyent Accelerator

Posted by Jonathan Altman Fri, 25 May 2007 04:37:00 GMT

Here are some quick steps I did to do initial lockdown of a freshly created Joyent Accelerator:

Change passwords

  • Sign in as admin via secure shell to the default account, change its password
  • su to root and change the root password
  • Go into virtualmin->webmin->Webmin Users->Click on the admin user. Then set Password Authentication to Unix Authentication in the dropdown box, like in this screenshot: Hit the Save button at the bottom of the page. After you do this, you will have to log back in to webmin. Alternately, you could just set the password to be the same as the one you used for the admin user you secure shell’ed in, if you are worried about webmin having access to the Solaris password authentication system. But then you also have to worry about keeping the passwords in sync.

Shut off unnecessary services

  • Disable apache: I am not ready to run a webserver yet, so I shut off apache by su’ing to root and running # svcadm disable cswapache2
  • Make postfix only accept mail from localhost: Webmin->Server->Postfix Configuration->General. Set the text box on “Network interfaces for receiving mail” to localhost, like in this image: then save. Then stop and restart postfix

When I was done, my netstat -a -f inet display showed only the following listening ports:

  • *.s s h: s s h daemon
  • *.10000: webmin
  • localhost.smtp: smtp, but can only be accessed via localhost
  • localhost.3306: mysql daemon

Posted in  | Tags , , , , , , ,  | no comments

IT versus software development

Posted by Jonathan Altman Tue, 03 Oct 2006 20:38:00 GMT

Having worked at some places with what I would call “restrictive access policies” regarding internet sites and ports that can be accessed, as well as the software and configuration of computers issued to employees, I am led to the following question for companies that develop software:

If you do not trust your software developers with their own computer, how can you trust them to write the software products you sell?

If you are worried about me setting up my own printers, or installing software on my computer, or where I browse, then how can you trust the commercial software that I write for you? Sure, there are criminal penalties for the latter, but are you saying that the only way I will behave in a lawful manner is under pain of imprisonment?

Posted in  | Tags , , ,  | 1 comment