|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
RE: [PLUG] Finding Linux Help
|
We're running SDSL with a Flowpoint router here in the office. Depending
upon what your purchase, you can configure (or your ISP can) the FlowPoint
to provide NAT or straighthrough routing. We elected to have NAT turned off
at the router (giving us our 5 IP's), and instead use a Linux box to perform
IP Masquarade.
Then, I went to town configuring what services were available and to whom
(/etc/init.conf and /etc/hosts.allow & /etc/hosts.deny).
I'd also suggest limiting the visibility of your files. If you are running
RedHat, it sets the access rights on directories as 755. Go back and set
them to 751 unless you really need to read files in /etc, /bin, etc.
Oh, yeah...don't leave your password file unencrypted. Use shadowing if
possible.
Finally, install something like LIDS, COPS or TripWire to assist in catching
a bad guy and to help accertain what they they did.
Then, I ran Saint against it looking for weaknessess. When running, you
can't see the Windows machines from the internet. For, that you either need
to run VPN software or SSH. SecureCRT, from VanDyke, allows you to tunnel
into your private network using SSH and their software (Windows only). I've
also played with VPND.
BTW, we were scanned by a would-be hacker right after our Linux box went
live (confirmed by the system operator of the systems the attack WAS
launched from). They did not get in (this time, at least).
If you are dreadfully concerned about someone hacking into your system, you
may want to go the route of having a dedicated firewall. But, I think with
a few precautions, you'll be probably be alright.
As for setting up a dial-in server....Get the rest of your network working
first. Then, add that capability.
Charles
-----Original Message-----
From: plug-admin@lists.nothinbut.net
[mailto:plug-admin@lists.nothinbut.net]On Behalf Of Rebecca Ore
Sent: Friday, January 21, 2000 10:06 AM
To: plug@lists.nothinbut.net
Subject: Re: [PLUG] Finding Linux Help
On Fri, Jan 21, 2000 at 09:27:38AM -0500, neodem wrote:
> Hi, I'm a new member to this list, and I'm writing today in search of some
> help and/or suggestions.
>
> In a month, I am having SDSL installed in my home and I want to
administer
> the connection with a Linux server. I'm not a Linux expert by any means
and
> I'm looking for someone to help me set it up properly.
If you have a FlowPoint router, and if you have multiple IP addresses,
you can do firewalling either by putting up a second Linux box as a
firewall (which I can't help you with)¸ or pay for the key unlocking
to run the FlowPoint's firewall program.
You can run all the boxes off the FlowPoint (with or without the
firewalling). Not recommended for Windows boxes unless you do have
the FlowPoint firewalling going.
>
> I have 2 Windows PC's in my home as well and want to hook them up to the
> server and be able to access the net. I also want the server to be able to
> accept dial-ups from me when I'm away.
Why the dial-ups? I think this complicates your set-up, but I'll let
others address that.
> I want the server to run Apache, an email server and other network apps.
I'm
> a bit afraid of having the box up on the net all the time so I'll need to
> set up some type of security/firewall as well.
I run all those and have a running nntp port (with no inbound or
outbound feeds). I run TripWire and PortSentry. The most important
thing is to read your logs, keep up with what's going on with your
machine.
Close all services you don't need; close telnet and use ssh, close
finger and any other services you don't know much about. Make
sure your host deny file is all:all and you only allow people on the
machine who have a need to be there (smtp and http are set up
differently -- in /etc/hosts.allow, I've got an entry for sendmail
that's "sendmail: all." You'll also want to close sendmail's vrfy and
expd so people can't get the user name and try cracking the passwords.
If you're logged on remotely, check "who" periodically to see if you
have unexpected company. Check your http logs to see if anyone tried
anything weird (there are some things that look weird that are just MS
artifacts).
TripWire will tell you if any files in your core directories have
changed in the last 24 hours. Some of my files change automatically,
but I didn't set up TripWire to skip them because I also use the time
I'm logged in as root to check other things and getting the daily mail
assures me that TripWire is still running. You can probably find
programs that will mail you suspicious items out of your logs. This
can be set to send them to your work address if you're not home.
> Any help you can offer would be great. Thanks.
If you've never done this before, start with RedHat 6.1 and all the
recommended upgrades. You'll want two ethernet cards in the Linux
box, one to the FlowPoint/sdsl modem, the other to a small hub for
your Windows boxes, which will also need ethernet cards. I've never
done a Samba installation; there are other people better informed
on this than I am.
--
Rebecca Ore
http://www.ogoense.net
______________________________________________________________________
Philadelphia Linux Users Group - http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
______________________________________________________________________
Philadelphia Linux Users Group - http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
|
|