[techtalk] Linux security suggestions

[James Sutherland]

On Sun, 13 May 2001, Brian Sweeney wrote:

> Last week, against our direct order, a user at my organization put a (near
> as we can tell) unpatched RHL6.2 box on the network.  He was compromised in
> under 12 hours; I haven't gotten the chance to recover the logs to figure
> out exactly when.  It'll be more difficult, since he (again against our
> order) wiped the machine and began a reinstall.  He says he backed up the
> filesystem, but who knows what shape it's in.  Anyway, that was when I
> discovered the quote below that became my sig file and new mantra ;-).

LOL! A friend of mine lost a box to crackers through a wu-ftpd exploit a
couple of months ago - but this was RedHat 6.2 **WITH** the then-current
patches on!

If you are mostly running client systems (i.e. few or no TCP services
needed), you can run a NAT gateway as your firewall: the machines behind
the firewall don't even have accessible IP addresses, let alone open
ports, and the firewall just forwards packets - no open ports there
either! At which point, you're pretty secure: it's very hard to break into
a machine you can't even send packets to!

Of course, if you're running any servers, you need to start poking holes
in that nice secure firewall, but at least this way you know EXACTLY
what's running: even if the client OS you use defaults to running 200
servers, none of them are really available to the outside world unless you
say so...

(Useless against "inside jobs" of course, but those aren't things we need
to worry about on our home networks, I hope!)

James.
-- 
"Our attitude with TCP/IP is, `Hey, we'll do it, but don't make a big
system, because we can't fix it if it breaks -- nobody can.'"

"TCP/IP is OK if you've got a little informal club, and it doesn't make
any difference if it takes a while to fix it."
		-- Ken Olson, in Digital News, 1988