From: Terry Tremaine (t.tremaine@home.com)
Date: Fri Dec 22 2000 - 12:58:14 PST
Hello
Unless you need ftp it might be wise to disable that in inetd.conf. After any
changes to inetd.conf you need to run 'kill -HUP <pid for inetd>'. It is a good
idea to disable telnet and use ssh instead if you need login services. I would
also suggest getting nmap at www.insecure.org and running an internal port scan
regularly to detect processes listening at unguarded ports. netstat is also
useful for that.
Terry Tremaine
On Thu, 21 Dec 2000, you wrote:
> > I am in the process of setting up a simple web server/router using some old hardware I have. I am wondering what are the basic steps I need to perform to make my machine as airtight as possible:
> >
> > Here is what done so far:-
> >
> > Vanilla install of Mandrake 7.2 (selected the recommended install, then minimum - installs about 300MB of stuff)
> >
> > Configured eth0 to be internet connection and eth1 to be internal network.
> >
> > Set the security level to high using DrakConf
> >
> > Ran Mandrake's internet connection sharing (which installs/configures DHCP, IP-MASQ, IP-CHAINS, named, etc).
> >
> > Installed Apache, bound it to the eth0, and put a single HTML webpage 'out there'. Also renamed the cgi-bin directory for now...
> >
> > Switched to RunLevel 3 (console mode) and killed the X server (xfs).
> >
> > My inetd still has telnet and ftp enabled - but I can happily get rid of those
> >
> > Read and followed the armoring linux doc (configured hosts.allow, hosts.deny, pam, etc).
> >
> > So the only daemons running are the httpd's, named, dhcp, inetd, syslog, etc. - nothing untoward.
> >
> > Everything is running great but I feel like my machines are a hack waiting to happen. Are there any other steps I should perform before installing PMFirewall? I do not want to loose any of my current functionality - it's just going to be a webserver which also provides an internet gateway for machines on my network. I do want to ensure that games can still play (esp. Unreal Tournament). I also want to ensure I am relatively safe from common attacks. I do not need X-windows to be running as the machine will eventually just sit in a corner with the light blinking (no monitor, keyboard or mouse attached). I will use telnet from my other linux machine to monitor logs and perform any configuration changes.
> >
> > I ran www.hackerwhacker.com against the machine last night and of the exposed ports, named and ftp bother me the most. I know these are commonly exploited holes.... Like I said, I can ditch the ftp, but as I understand it named needs to be there for my other machines to have DNS support.
> >
> > Any help and advice on next steps and/or the PMFirewall installation would be most welcome.
> >
> > Thanks in advance,
> >
> > Darren.
> >
> ****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
> * in the message body to majordomo@pointman.org. Please direct other
> * questions, comments, or problems to pmfirewall-owner@pointman.org.
> *
> * Need answers fast? Check the list archive located at:
> * http://www.pointman.org/PMFirewall/list-archive/
> *
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:38:34 PDT