TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:3292] Security Pointers & DSL questions...

You should ask this of Mike or Kevin over at Vector :-)

Quoting Scott K. Johnson (skj@visi.com):
> Hello All,
> 
> Anyone have any pointers to docs and/or books on securing a Linux system?

Personally, I'd shut off everything in /etc/inetd.conf execept auth
and time. This will force you to use ssh (and the s-commands) but it
will prevent clear-text username and passwords from floating around
the 'net.

I'd install and run tripwire so you know when you get hacked.

http://www.lj.net/~jht/rpms

Next, configure your NetSpeed to block all traffic from the serial
side that you know you never want on your LAN. For instance, I never
want netbios-ns or netbios-dgm on my LAN from the serial link.

I am particularly anal, I block tcp and udp on port 137, 138, 139.

Other ports I block are sunrpc, snmptrap, and syslog. Talk to the NOC
people are Vector, they may want read-only snmp access to your link
for stats.

I block other ports, but they are anal part of me showing through :-)


> I've got my Linux box IP Masquerading so the other machines on the network
> can get out.  I've also signed up with Visi.com to have a static IP when I
> get all hooked up.

I am not familiar with Masquerading, so I do not know if this will
allow you to NAT route through to your inside LAN.

> I want to be able to protect my Linux box and small network, but still be
> able to get in to access files, etc. when I need to.  I don't think this is
> an unrealistic goal, but if I knew better I wouldn't have to ask right??  8D

Masquerading = NAT routing?  If linux allows you proxy across then
things should would just fine for you,

> Now, will I be able to send e-mail to "username@<my IP address>"? or how
> does that whole picture look??

Yes and no. If Vector has MX'd your IP address to their main mail
server then all mail even addressed to usersname@your-ip.com will get
sent to Vector's main mail server. You probably want to talk to the
NOC had have them MX your IP address to your mail server, but keep
secondary MX records to other mail server just in case your are down.

Sorry, have to promote Real Time here....

All of the above is done for our DSL client automatically. Port block,
MX records, the works. I am working on a program specifically for
linux users to help protect their machines as well as a reduced price
for monthly service.


-- 
Bob Tanner <tanner@real-time.com>       | Phone : (612)943-8700
http://www.real-time.com                | Fax   : (612)943-8500
Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9