[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security on Dial-up Systems



On Fri, 1 Aug 1997, Nir Soffer wrote:

> As for the original 'poster' - Do what I did for my security, disabled
> _all_ the services I didn't need. That includes daytime, chargen, and all
> that useless crap. Disabled identd, disabled fingerd, disabled ftpd,
> disabled rshd and rlogind, telnetd however, I kept.

even hack up a few firewalling rules, it's really easy.

> 
> The best way to secure a machine is to keep theleast 'doors' to it open as
> possible. You're on a dialup system? Why would you  need sendmail or qmail
> then? Wham, one less potential hole. You're on a dialup system? Why in
> gods name would you need a POP server/IMAP server? Wham, another hole.

I'd leave outgoing mail in place, though I'd rather use Qmail (I waited a
long time to install it myself, lurking the mailing list for months, but
now I know it's Prof. Bernstein that scared me and not his wonderful
program :-) 

anyway, RedHat installs lots of stuff without warning you, like NFS server
and client, IMAP, POP, Sendzevel, and godknowswhat. on servers I just
don't install them or use the exquisite rpm -e command often (whenever I
discover a useless/unused package). a temporary solution will be a quick
script to down certain services when connecting, or not run them at all
(switch to /etc/rc.d/rc3.d and start "commenting" modules by adding a "."
before the name).

another idea that pops into my head as I type is to use runlevel 4 as
"dialup runlevel", killing all the useless modules when switching and
restarting when falling back to level 3. it's not standard, but it's a
cool way to do it on a home machine :-)


   -------------------------------------------------------------
   Ira Abramov          <ira@scso.com>        Scalable Solutions
   POBox 3600, Jerusalem 91035, Israel       Tel (972)2-642-6822
   http://www.scso.com/~ira   Check out: http://www.linux.org.il


References: