Restrict any port related to any service you do not intend your system to provide. Port restrictions can be done in ranges. So, for example, if you only intend to offer HTTP, then restrict all the other ports. I ususally suggest creating a dummy profile with password *none, restricting access to unused ports to this profile, and then deleting the dummy profile. Depending on your situation, you can also use port restriction for ports for services you are providing. For example, if you are only providing HTTP access you MAY be able to restrict the 80 and 443 ports to only allow programs running under QTMHHTTP. There is investigation required to make sure you get use the appropriate profiles for your web server depending on the security models of your individual web applications. Patrick Botz Senior Software Engineer eServer Security Architect (507) 253-0917, T/L 553-0917 email: email@example.com "Jim Franz" <firstname.lastname@example.org. To: <email@example.com> com> cc: Sent by: Subject: [Security400] web security security400-admin@m idrange.com 10/06/2002 01:38 PM Please respond to security400 This is a multi-part message in MIME format. -- [ Picked text/plain from multipart/alternative ] The redbook AS400 Internet Security: Protecting Your As400 from Harm on the Internet, suggests restricting selected ports to specific user id that have password = *none. 80 to QTCP, QTMHHTP1, QTMHHTTP 23 to QTCP are their others that should be restricted for other services? lpd, dns, whatever? let's just say the firewall in place is "limited" and out of my control. looking for things to bolt down. jim -- _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@midrange.com To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/cgi-bin/listinfo/security400 or email: Security400firstname.lastname@example.org Before posting, please take a moment to review the archives at http://archive.midrange.com/security400.
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.