[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RedHat 7 distribution cds



My last posting reminds me of my 3 rules for paranoid operation of a connected
Linux machine:

1. USE IPCHAINS (or ipfilter, or whatever firewall you prefer) to only let
   in and out the services you really intend to run and only to the
   machines you intend to give them to (or take them from). On an home machine
   (or another machine not intended as a general-purpose login server) these
   rules can be very strict (only allow specific packets: e.g., DNS
   replies from a specific name server, ICQ packets to/from the specific
   mirabilis network, etc.).
   This rule is optional (but recommended) - but if you don't use it make sure
   you pay extra attention to the next one:

but just in case something breaks with rule 1.,

2. RUN ONLY THE SERVICES YOU REALLY WANT. Do you know what a portmapper does?
   No? Good - don't run it then. Do you expect people from Finland to send
   files to your printer? Do you even have a printer? No? Then don't run
   the printer daemon. Does anybody ever telnet _into_ your machine? No?
   Then don't run telnetd! If you need to allow telnet but only from a
   specific host, then see hosts_access(5) (you can also use a firewall rule,
   but we're in paragraph 2. - assuming the rules of paragraph 1. broke)

also,

3. UPDATE YOUR SOFTWARE. Even if the above lines of defense do work properly,
   sometimes you _do_ want to provide services: you may want to put up an
   FTP server, SSH server, or whatever. Even running Internet-connected
   _clients_ like Netscape or Licq actually is equivalent to running a
   service because these clients take instructions from the Internet and do
   something (potentially something dangerous or erroneous) with them.
   So make sure you update your software frequently so no known security
   hole remains in it. All Linux distributors have mailing lists of security
   announcements and FTP sites from which you can get the updated packages.
   General mailing list of computer-security announcements and exploits also
   exist (the best one is "bugtraq", in my opinion).
   

There are other rules, like "Never run anything that sends shell-account
passwords cleartext" (telnet is obviously a faux-pas, but so are
non-anonymous FTP and Pop3 - unless these accounts are shell-less),
but I'll leave some for another time ;)


-- 
Nadav Har'El                        |      Wednesday, Mar 7 2001, 12 Adar 5761
nyh@math.technion.ac.il             |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |If you're looking for a helping hand,
http://nadav.harel.org.il           |look first at the end of your arm.

=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il