Dana Danet <[EMAIL PROTECTED]> wrote:
>so i am the recent listed person with growing interests in linux
>
>my question to the list is:
>
>i am planning on implementing a server out of my house via dsl and i hear
>horror stories of users that know ip ranges given out by isp's and the scan
>them looking to get into boxes. before i get my linux desktop and server
>configured for dsl what precautionary steps/implementations should i
>consider. i have a webramp 700s, has anyone used this device for a firewall
>to their linux network.
Ok, since I'll (hopefully) soon be getting DSL myself, I'll bite:
Yes, if you're getting any kind of dedicated connection to the Internet,
you'll be port scanned at some point. It's a fact of life on the
Internet. Anytime you have a permanent connection to the Internet, steps
need to be taken to protect those machines - regardless of whether it's at
home, work, or elsewhere.
I'll assume the webramp 700s is the DSL modem/router. I don't know
anything about them so I can't comment. I'd have a look at their website
and see if it provides any helpful information about the devices capabilities.
Some steps you should take to protect your firewall/masquerade box are:
1) Apply *all* relevant updated RPM's, *especially* the security-related
ones. Make sure you keep up with the updates. Not keeping updated is
perhaps the #1 reason Linux boxes get cracked.
2) Don't run services you don't need. Disable them and/or remove the
RPM. If you have a need for it, you can always re-install it later. If
you're unsure about a service's purpose, read about it (man pages,
/usr/doc/[packagename], Howto's, FAQ's, web sites, books, etc.) and ask
questions.
3) Use the firewall tools. (ipfwadm for 5.2 and earlier, ipchains for
6.x) Allow only those services you need. Deny and log everything else to
begin with. Once you have a "feel" for what things might get denied that
are probably harmless, deny but don't necessarily log them.
4) Use tcp_wrappers as another layer behind the firewall tools.
5) Keep an eye on your logfiles, especially packets that are denied by the
firewall tools. Use various log analysis and monitoring tools.
6) Don't *ever* connect to your server remotely using telnet. If you
absolutely *must*, don't login directly as root (normally disallowed
anyway) or su to root. Use ssh or openssh to connect remotely.
7) It's probably not a good idea to download your e-mail remotely either,
since most pop clients send passwords in cleartext. (This is if you're
planning on running mail services on the box.)
Lastly, enjoy your DSL! I hope I get one soon as well.
There's probably more that other's will suggest, but this should get you
started.
-Eric
Eric Sisler
Library Computer Technician
Westminster Public Library
Westminster, CO, USA
[EMAIL PROTECTED]
Linux - don't fear the Penguin.
Want to know what we use Linux for?
Visit http://gromit.westminster.lib.co.us/linux
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
