MyNews is a news-server (NNTP-server). This type of server is difficult to attack. And all a potential hacker can get are the messages which the server carries. MyNews has no access to your system information. All it delivers are the messages in your newsgroups. So no critical information can be transmitted.
All security options are available with the menu Secu - Security Setup in the main window. The topics are:
This is the most severe protection you can use. If the server
is not activated, then nobody can access it. And nobody can
attack it. However you cannot access MyNews with your own
news-reader then. But you can download messages and use the
internal newsreader.
If you want to use this option, then you can use this strategy:
This mode of operation does not allow others to download messages from your server. So it is not very cooperative. You can still use the news-servers at your provider, pay-servers and other free news-servers. But other MyNews-neticens will not tolerate very long that you downlaod from them without contributing anything. So this mode is recommended just for cautious, inexperienced users.
It is ALWAYS possible to stop and start the server manually with the menu-functions Server - Start server and Server - Stop server.
Instead of disabling the entire server-part of MyNews you can activate this option. MyNews accepts now connections only from your local computer. Access from 'outside' (from the Internet) or from your local network is not possible. MyNews refuses this connections.
This mode of operation allows you to access your own MyNews-server with your own newsgroup-tools - and still lock it to others. If you activate this option, then you can disable the "Dont start server automatically". However this level of security is 'one tick' lower than desactivating the server completely.
This option is only available in the full version of Mynews.
It allows to manage access from third party based on IP-addresses
and username+password. It is discussed later in this document.
This options restricts the access to your MyNews to other
MyNews particpients. If this option is desactivated then any
internet user who knows your IP-address can read messages from
your server with a 'normal' newsreader. If you want to restrict
access to your MyNews to your friends or use a kill-list, then
this option should be activated.
If you want to offer your server as a public server to those who
cannot (dont want) use MyNews, then this option must be switched
off. If you need protection in this case, then 'Activate
Authentication' is the only way Mynews offers.
You can ALWAYS access your own Mynews with your own, local
newsreader on the same machine. This access not affected by this
security option.
This option restricts access to your 'friends' who runs also
MyNews. All MyNews server have unique names which are protected
with an encoded registration. This method of protection is not
100% secure. But it helps a lot trouble comes up in specific
communities.
Activating this option means that you now have to create and
manage the list of 'friends' This is the disadvantage of all
security: It causes additional work). The function Secu -
Edit Friends opens the access-file which contains the
servernames of your friends. Here an example:
You want to grant access to your friends: "pilot7", "systics" and "surfer" then the access-file should contain:
pilot7
systics
surfer
If the list is empty, then NOBODY can access your server !
If you are normally running an open system and share just some
private communities and groups, then you need no protection at
all. But from time to time some neticens believe that the net is
theirs. They act as trolls and must be isolated (usually for a
specific time). Isolation a troll is the only weapon against a
troll. And if you meet a troll in the MyNews-network, then this
option is a good weapon against them.
Again you have to create and manage a list of 'trolls' if you
activate this option. The menu function Secu - Edit Killfile
allows you to edit this list. Here an example:
You want to lock out "troll7" and "gnome" then the killfile should contain:
troll7
gnome
If the list is empty and this option is activated, the no
kills are done.
Is is not possible to use "Reject MyNews trolls"
together with "Accept only MyNews friends". If you
accept only friends, then the killfile is ignored!
MyNews is a regular news-server. So it is possible to post
messages to it. If you dont want that others post messages to
your MyNews, then activate this option. You should ALLOW postings
from outside if you offer newsreader-access for your friends.
Else they have no chance to post to your community. But normally
you can activate this security option without affecting the
regular operation of MyNews. Everybody has his own server to post
to.
Your own local posts from your own tools on your computer are not
affected (and not restricted) by this option.
As a regular news-server MyNews also accepts IHAVE-feeds from outside (other servers). With this feature it is possible to create own, private networks for newsgroups with full automatic message exchange. Normally you dont need the iHave. So you can activate this security option always.
If you use a special community as "bike55aer34" and keep this name as a secret, then your MyNews server stays invisible for all those who do use the same community name. Only the admin of the "First Server" where your Login (and contact to others) is done will know the name of this secret community. The additional advantage of this method is, that even your IP-address is kept as a secret to all other, unknown MyNews-users.
If you use special newsgroup names for exchanging infomation as "private.grp7843aqw12" and share this name only with your friends, then this group stays invisible for other users. If you dont announce it in a public group or any other public forum, then you are pretty safe of trolls and curious elements. And it is very easy to "change the name of the group" if someone disturbs you (changed from Paulus to Saulus): Tell your friends the new name. Everybody renames the group - and you are hidden again.
MyNews supports authentication in the full version. Authentication (login into the news-server with username and password) is the most usual method for access restriction of news-servers. But it has the disadvantage, that it must be managed: Every user (friend) will receve a username and a password from you by private eMail. And whenever it is necessary to change this, then you have to do this also. This is called "administrating a server". If you want to take the pain to do real administration: Here is how it works:
Activate the option "Activate authentication" in the
security setup. Then use the function Secu - Edit access file.
There are two types of authentication. Both are described now -
and are combined in this one access file.
IMPORTANT: "Access only MyNews friends" and
"Reject MyNews-trolls" are inactive if full
authentication is activated !
If use grant users access by IP-address, then your users should have a fixed IP-address for their computer. Normally all dialup providers offer only dynamic IP-addressing, to this method does not work too good for our purpose. But if you are a small provider and want to offer your customers MyNews, then you can use this to protect your server.
The first part of the file "data\access.dat" contains the IP-addresses and their permissions. One example:
You want to grant free access to the computer with the
IP-address: 1.1.1.1 - and you want to grant free access to your
local area network: 192.168.*.*
Additionally you want to LOCK OUT access from the subnet 3.1.*.*
- because there are some trolls. Then your access file has these
entries:
; All lines which start with a semicolon or are empty are
ignored
1.1.1.1,*,,,*
192.168.* ,,,*
; spaces in an ip-address are ignored. So you can format the list
:-)
3.1.*,,,k
; the 'k' instead of the asterisk enable the KILL. Access from
this subnet is forbidden.
The comparision between some computer which tries to connect
our server and the list is done on a character by character base.
So spaces can be skipped and the first asterisk ends the
comparison. The three commas are placeholders for username and
passwords. They cannot be combined with IP-controlled access. The
last asterisk is "general permission". Later versions
of MyNews will support sophisticated access rights. (Read only,
Post only, specific groups only, ....)
The IP-address comparision is done when another computer connects
to MyNews. If the IP-address is OK, then the user can access.
Else the connection is refused. If the IP-address is not found
but a "Authentication by username+password" section is
in the file, then the second authentication decides about access
or reject.
Warning: IP-address authentication is disabled if the second
section is located at the beginning of the file !
The above example shows the entry: 192.168.* - this is your local network. You can also add something like: 193.222.* and 193.223.* to allow neticens from a specific provider to access your host. - or you can lockout specific networks (perhaps a rude provider) with the kill-option. IP-address dont change very fast.
The second part of the file "data\access.dat" contains usernames, passwords and permissions. One example:
You want to grant access with the Name+Pass-Combinations: michael/123, otto/pw34, myself/009712. Then your access file contains these lines AFTER the IP-address section (if you use both):
*,michael,123,*
*,otto,pw34,*
*,myself,009712,*
The first asterisk is the indicator that this access is possible from anywhere in the Internet. (It is not possible to create a combination of IP-address and username+password).
If you lock your server with authentication, then your friends
(or customers) have to activate authentication in their
newsreader to get access.
If you run your server on a permanent IP-address, then your
MyNews friends can add your server with the IP-Number (or full
qualified domain name) and the authentication as a 'normal'
Usenet-Host.
If you run your server on a dialup, then your MyNews-friends add
your server again as a 'normal' Usenet-server. The server name is
then the name of your mynews-server (Example: root - WITHOUT
dots). Whenever your server is online and one of your friends
makes a 'login' then sHe gets the actual IP-address of your
server from the First Host and MyNews automatically updates the
host-entry. Then access is even possible on dynamic IP-addresses
on both sides - but still protected with authentication.
Yes, indeed. Security is complicated. Especially full
authentication requires a little bit more experience than the
average user has. But the 'easier' methods at the top of this
document, the lists of friends and trolls - should be easy enough
to be used by everybody.
If you wonder about the fact that all these lists are managed
with simple ASCII-editors, then be sure that such a tools is far
more flexible and easier to use than every graphical desktop.
This is the reason why nearly all administrators prefer such text
files for configuration.