[olug] Building a Hellacious Firewall
Jon
thechunk at thechunk.dhs.org
Wed Jun 27 03:52:23 UTC 2001
This was really a good read for me. I agree with what you are saying. I don't know if there are many inexperienced linux users on this list but thought I would share my minor insights into running a secure server.
1. no telnet / ftp
2. see number 1
3. openssh with certificates so I can get connections without prompts.
4. edit my /etc/inetd.conf and remove all services I don't use.
I have only read one issue of 2600 but found the information to be invaluable. It is really good to see how many mistakes people make. There was an article describing how to take someones email and searching the net for any uses of it. At first thought this seems futile but they point out that if someone is active in usenet than with the awesome cataloging of message lists you can get some hits possibly. It then pointed out that if someone ever posted live information to a usenet list you could get system info such as os and maybe even a config file or too if the admin got frustrated. Anyway just some thoughts.
-Jon W
On Tue, Jun 26, 2001 at 04:33:23PM -0500, Jason Ferguson wrote:
> Okay, iptables isnt tough:
>
> iptables -A INPUT --source (addy-of-bad-guy) -J LOG
> iptables -A INPUT --source (same-addy) -J DROP
>
> Or something like that.
>
> However, we talk so much about the HOW to firewall, with ipchains or
> iptables, that we miss what I feel is even more important... WHAT to
> firewall.
>
> Now, for example... Ive heard it said that AUTH (usually port 113, check
> your /etc/services) is a security risk to run: it lets people gather
> info about your computer. However, try connecting to IRC without it...
> you wont get far. Solution: deny AUTH requests from anyone besides the
> IRC servers. Just LOG all of your requests for awhile to get the IP
> address of the servers, then modify your rules. Same goes for any one
> the other services; firewalls can block access to your services except
> for select IP addresses. This could allow something as bad as TELNET on
> your internal network without being angerous to the outside (gotta be
> careful of spoofing, of course).
>
> I prefer to build my firewall script myself, rather than use some
> generator program. This is because if you just use a generator, do you
> REALLY know what you're blocking and/or allowing? Probably not.
>
>
> IPTABLES brings new stuff to the table. I personally dont know how to
> use things like MARK. So, to get to the point of this email (finally),
> can some of the old pros here share some of their experience in the art
> of building firewalls rather than the science?
>
> Jason
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> For additional commands, e-mail: olug-help at bstc.net
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list