[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: security on Dial-up Systems
On Fri, 1 Aug 1997, Nir Soffer wrote:
> As for the original 'poster' - Do what I did for my security, disabled
> _all_ the services I didn't need. That includes daytime, chargen, and all
> that useless crap. Disabled identd, disabled fingerd, disabled ftpd,
> disabled rshd and rlogind, telnetd however, I kept.
even hack up a few firewalling rules, it's really easy.
>
> The best way to secure a machine is to keep theleast 'doors' to it open as
> possible. You're on a dialup system? Why would you need sendmail or qmail
> then? Wham, one less potential hole. You're on a dialup system? Why in
> gods name would you need a POP server/IMAP server? Wham, another hole.
I'd leave outgoing mail in place, though I'd rather use Qmail (I waited a
long time to install it myself, lurking the mailing list for months, but
now I know it's Prof. Bernstein that scared me and not his wonderful
program :-)
anyway, RedHat installs lots of stuff without warning you, like NFS server
and client, IMAP, POP, Sendzevel, and godknowswhat. on servers I just
don't install them or use the exquisite rpm -e command often (whenever I
discover a useless/unused package). a temporary solution will be a quick
script to down certain services when connecting, or not run them at all
(switch to /etc/rc.d/rc3.d and start "commenting" modules by adding a "."
before the name).
another idea that pops into my head as I type is to use runlevel 4 as
"dialup runlevel", killing all the useless modules when switching and
restarting when falling back to level 3. it's not standard, but it's a
cool way to do it on a home machine :-)
-------------------------------------------------------------
Ira Abramov <ira@scso.com> Scalable Solutions
POBox 3600, Jerusalem 91035, Israel Tel (972)2-642-6822
http://www.scso.com/~ira Check out: http://www.linux.org.il
References: