[techtalk] hardening firewalls (was Re: hdparm and DMA "not permitted")

Conor Daly conor.daly at oceanfree.net
Sat May 26 22:00:06 EST 2001 

On Thu, May 24, 2001 at 09:22:11AM +1200 or so it is rumoured hereabouts, 
Penguina thought:
> 
> 
> On Wed, 23 May 2001, Conor Daly wrote:
> > Sure thing, glad to help.  Now I just gotta go install 2.4 in place of the
> > 2.2.16 that's currently running.  RH7.1 time?
> >
> > Conor
> 
> You might give SuSE 7.1 a whirl...cheaper and imho more complete.  The
> pro distribution has thousands of packages (notably Zope, Squid, Python
> and Postgresql) and is far cheaper than the personal version of RH 7.x
> (if you want to be the first kid on your block to own the new dist and
> don't have the bandwidth to download it in a reasonable amount of time).

Oh, I have RH7.1 already.  Some members of our local LUG (www.linux.ie) have
a nice fat pipe down which theu suck the latest ISOs of almost everything.
New distros for the price of the CDR or for Beer! :-)  Must look at some
other distros though.  I've been an RH user pretty much steadily since
that's what we have at work (Though my first linux install (in fact, my
first intro to linux at all) was slackware 3.1 *and* I got X working!)

> For a firewall/server, a 'minimal' install and running hardsuse, then
> applying the patches and tweaking the various configurations is a fairly
> reasonable way to go (and even if it's for home use,  security is impt--
> you really don't want some kiddie using your home machine as a
> waystation for illegal activities, since it could be your door the
> cops show up at first!)

Heh!  I'm running a fairly hard firewall on a dedicated 486 at present.
It's an area I haven't paid *too* much attention to, apart from creating a
firewall that is.   I'm not as yet on a 24/7 connection and am on a
dynamic dialup but I'm planning to set up some vpn style stuff and I'd
like to harden up security if I open my HAN to external logins.  At
present I've got the browsing / ftp / email ports open and little else.

> I'd avoid some of the SuSE configuration scripts and default configs.
> Apache is configured to run as a SuSE help server in a way that is
> extremely insecure by default, and sendmail configuration is a lot
> easier from the MH macros that come with the latest from sendmail.org

I'd be inclined myself to strip the firewall of everything but essential
services (there isn't even a compiler on there, new kernels get done on
another box), lock it down tight and then not need to worry so hard about
the other boxes inside.  One caveat though, is a 486/66 DX fast enough to
handle the crypto stuff required for ssh over the internet?  I'm not sure
whether to forward port 22 to the server and have it do the ssh for the
VPN or whether to do it on the firewall.  If I forward the port, do I have
to start hardening up the server also?  

Conor (off to read Jenn's security for newbies stuff)
-- 
Conor Daly <conor.daly at oceanfree.net>

Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
  9:40pm  up 7 days,  9:48,  0 users,  load average: 0.00, 0.00, 0.00
Hobbiton.cod.ie
  9:42pm  up 6 days, 10:43,  2 users,  load average: 0.00, 0.01, 0.00

More information about the Techtalk mailing list