[Techtalk] Security Issue:disallowing external access to X windows

Julie jockgrrl at austin.rr.com
Fri Sep 14 19:46:26 EST 2001 

Rita Starceski wrote:
> 
> yes the machine is dedicated for security purposes.  It would be very bad
> if this system was hacked.  I just meant xterm as an example..
> I don't want any x connections from outside Xservers - other than console.

Ah, the real problem!

You need to keep an absolute minimum number of authorized accounts
on the system.  If you know the machines used by all authorized
users, firewall access to things like rlogin, telnet and ftp by
any other host.  Determine =exactly= what ports must be open for
whatever services that machine is supposed to provide and firewall
everything else.  Don't accept "but I want to be able to read my
mail there, too" if that's not what the machine is for.  They can
read mail and netnews on their own d at mned machine.

Use something like "tripwire" that can detect modified files.  Or
better still, mount as many filesystems as possible "read-only".
Make backups and verify that they are good =and= have no security
exposures.  If you find an exposure on your system, fix it and
make a new backup.  Don't be afraid to restore those backups if
something happens -- trying to fix a hacked machine can be a real
pain in the butt and still not find all the back doors that might
have been left.  Run port scanners against the machine.  Often.

Remove unnecessary software.  This won't stop a determined intruder,
but it can make life very hard and that may give you the time
needed to find out what is going on.

Expire passwords frequently.  Terminate the account of any user
who is no longer authorized to access the machine.  Then change
any shared passwords and re-validate the system configuration.

If the machine is =really= important, buy an inexpensive line
printer and log all syslog output to it.  Some hackers are really
nasty and delete logs.  It's much harder to delete a printout.
-- 
Julianne Frances Haugh             Life is either a daring adventure
jockgrrl at austin.rr.com                 or nothing at all.
					    -- Helen Keller

More information about the Techtalk mailing list