Полезная информация

Network services - NNTP

 

INN

The usenet server INN has had a long and varied history, for a long period there were no official releases and it seemed to be in a state of limbo. However, it is back for good now it would seem. The server software is responsible for handling a potentially enormous load, if you take a full newsfeed the server must process several hundred articles per second, some several kilobytes in size. It must index these articles, write them to disk, and hand them out to clients that request them. INN itself is relatively secure, since it handles data with a directory and generally doesn't have access outside of that, however as with any messaging system if you use it for private/confidential material you must be careful. INN is currently maintained by ISC and is available at: http://www.isc.org/inn.html.

One of the main security threats with INN is resource starvation on the server. If someone decides to flood your server with bogus articles or there is a sudden surge of activity you might be in trouble if capacity is lacking. INN has had several bad security holes in past, but with today's environment the programmers seem to have chased down and eliminated all of them (none have surfaced recently). It is highly recommended (for more than security reasons alone) that you place the news spool on a separate disk system, let alone partition. You might also wish to use ulimit to restrict the amount of memory available so that it cannot bring the server to it's knees. 

As for access, you should definitely not allow public access. Any news server that is publicly accessible will be quickly hammered by people using it to read news, send spam and the like. Restrict reading of news to your clients/internal network and if you are really worried force people to login. Client access to INN is controlled via the nnrp.access file. You can specify IP address(s), domain names and domains (such as *.example.org), as well as there access levels (read and post), the newsgroups they do or don't have access to and you can also specify a username and password. However, because the password is linked to the host/domain it gets somewhat messy. 

example of nnrp.access:

*:: -no - : -no- :!*
# denies access from all sites, for all actions (post and read), to all groups.
*.example.org::Read Post:::*
# hosts in example.org have full access to all groups
*.otherexample.org::Read:::*, !me.*
# hosts in otherexample.org have read access to everything but the me hierarchy
*.otherexample.org:Read Post:myname:mypassword:*
# give me access from my AOL account using a username and password

If you are going to run a news server I highly recommend the O'Reilly book "Managing Usenet". Usenet is similar to Sendmail, a total beast to get running smoothly and keep happy.

News should be firewalled as most servers typically server an internal group, and access connections from one or two upstream feeds:

ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 119
ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 119
ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 119

or

ipchains -A input -p tcp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 119
ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 119
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 119
Diablo

Diablo is free software aimed at backbone news transport, that is to say accepting articles from other NNTP servers and feeding them on to other servers, it is not aimed at use by end users for reading or posting. You can get Diablo at: http://apollo.backplane.com/diablo/.

DNews

A commercial NNTP server for various platforms. Available from: http://netwinsite.com/dnews.htm.

Cyclone

Cyclone is a commercial NNTP server aimed at backbone news transport, that is to say accepting articles from other NNTP servers and feeding them on to other servers, it is not aimed at use by end users for reading or posting. You can get Cyclone at: http://bcandid.com/.

Typhoon

Typhoon is a commercial NNTP server aimed at end user news access, that is to say allowing users to post and read articles. You can get Typhoon at: http://bcandid.com/.

Back

Security Portal

Written by Kurt Seifried