[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RedHat 7 distribution cds
My last posting reminds me of my 3 rules for paranoid operation of a connected
Linux machine:
1. USE IPCHAINS (or ipfilter, or whatever firewall you prefer) to only let
in and out the services you really intend to run and only to the
machines you intend to give them to (or take them from). On an home machine
(or another machine not intended as a general-purpose login server) these
rules can be very strict (only allow specific packets: e.g., DNS
replies from a specific name server, ICQ packets to/from the specific
mirabilis network, etc.).
This rule is optional (but recommended) - but if you don't use it make sure
you pay extra attention to the next one:
but just in case something breaks with rule 1.,
2. RUN ONLY THE SERVICES YOU REALLY WANT. Do you know what a portmapper does?
No? Good - don't run it then. Do you expect people from Finland to send
files to your printer? Do you even have a printer? No? Then don't run
the printer daemon. Does anybody ever telnet _into_ your machine? No?
Then don't run telnetd! If you need to allow telnet but only from a
specific host, then see hosts_access(5) (you can also use a firewall rule,
but we're in paragraph 2. - assuming the rules of paragraph 1. broke)
also,
3. UPDATE YOUR SOFTWARE. Even if the above lines of defense do work properly,
sometimes you _do_ want to provide services: you may want to put up an
FTP server, SSH server, or whatever. Even running Internet-connected
_clients_ like Netscape or Licq actually is equivalent to running a
service because these clients take instructions from the Internet and do
something (potentially something dangerous or erroneous) with them.
So make sure you update your software frequently so no known security
hole remains in it. All Linux distributors have mailing lists of security
announcements and FTP sites from which you can get the updated packages.
General mailing list of computer-security announcements and exploits also
exist (the best one is "bugtraq", in my opinion).
There are other rules, like "Never run anything that sends shell-account
passwords cleartext" (telnet is obviously a faux-pas, but so are
non-anonymous FTP and Pop3 - unless these accounts are shell-less),
but I'll leave some for another time ;)
--
Nadav Har'El | Wednesday, Mar 7 2001, 12 Adar 5761
nyh@math.technion.ac.il |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |If you're looking for a helping hand,
http://nadav.harel.org.il |look first at the end of your arm.
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il