|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Finding Linux Help
|
Charles, thanks for your tips, I am getting a flowpoint router and I've
heard that they have a firewall option. I'm also reading a really great book
about Linux security "Maximum Linux Secuity" that goes over just about
everything. I'm sure when I get closer to putting it all together (30-90
days for the installation of the DSL) I'll be pestering the list with help
requests. Thanks again for your help!
neo
-------
neodem@fast.net
neo
-------
neodem@fast.net
----- Original Message -----
From: "Charles Stack" <charles@codycomp.com>
To: <plug@lists.nothinbut.net>
Sent: Friday, January 21, 2000 1:08 PM
Subject: RE: [PLUG] Finding Linux Help
> We're running SDSL with a Flowpoint router here in the office. Depending
> upon what your purchase, you can configure (or your ISP can) the FlowPoint
> to provide NAT or straighthrough routing. We elected to have NAT turned
off
> at the router (giving us our 5 IP's), and instead use a Linux box to
perform
> IP Masquarade.
>
> Then, I went to town configuring what services were available and to whom
> (/etc/init.conf and /etc/hosts.allow & /etc/hosts.deny).
>
> I'd also suggest limiting the visibility of your files. If you are
running
> RedHat, it sets the access rights on directories as 755. Go back and set
> them to 751 unless you really need to read files in /etc, /bin, etc.
>
> Oh, yeah...don't leave your password file unencrypted. Use shadowing if
> possible.
>
> Finally, install something like LIDS, COPS or TripWire to assist in
catching
> a bad guy and to help accertain what they they did.
>
> Then, I ran Saint against it looking for weaknessess. When running, you
> can't see the Windows machines from the internet. For, that you either
need
> to run VPN software or SSH. SecureCRT, from VanDyke, allows you to tunnel
> into your private network using SSH and their software (Windows only).
I've
> also played with VPND.
>
> BTW, we were scanned by a would-be hacker right after our Linux box went
> live (confirmed by the system operator of the systems the attack WAS
> launched from). They did not get in (this time, at least).
>
> If you are dreadfully concerned about someone hacking into your system,
you
> may want to go the route of having a dedicated firewall. But, I think
with
> a few precautions, you'll be probably be alright.
>
> As for setting up a dial-in server....Get the rest of your network working
> first. Then, add that capability.
>
> Charles
>
> -----Original Message-----
> From: plug-admin@lists.nothinbut.net
> [mailto:plug-admin@lists.nothinbut.net]On Behalf Of Rebecca Ore
> Sent: Friday, January 21, 2000 10:06 AM
> To: plug@lists.nothinbut.net
> Subject: Re: [PLUG] Finding Linux Help
>
>
> On Fri, Jan 21, 2000 at 09:27:38AM -0500, neodem wrote:
> > Hi, I'm a new member to this list, and I'm writing today in search of
some
> > help and/or suggestions.
> >
> > In a month, I am having SDSL installed in my home and I want to
> administer
> > the connection with a Linux server. I'm not a Linux expert by any means
> and
> > I'm looking for someone to help me set it up properly.
>
> If you have a FlowPoint router, and if you have multiple IP addresses,
> you can do firewalling either by putting up a second Linux box as a
> firewall (which I can't help you with)¸ or pay for the key unlocking
> to run the FlowPoint's firewall program.
>
> You can run all the boxes off the FlowPoint (with or without the
> firewalling). Not recommended for Windows boxes unless you do have
> the FlowPoint firewalling going.
>
> >
> > I have 2 Windows PC's in my home as well and want to hook them up to
the
> > server and be able to access the net. I also want the server to be able
to
> > accept dial-ups from me when I'm away.
>
> Why the dial-ups? I think this complicates your set-up, but I'll let
> others address that.
>
>
> > I want the server to run Apache, an email server and other network apps.
> I'm
> > a bit afraid of having the box up on the net all the time so I'll need
to
> > set up some type of security/firewall as well.
>
> I run all those and have a running nntp port (with no inbound or
> outbound feeds). I run TripWire and PortSentry. The most important
> thing is to read your logs, keep up with what's going on with your
> machine.
>
> Close all services you don't need; close telnet and use ssh, close
> finger and any other services you don't know much about. Make
> sure your host deny file is all:all and you only allow people on the
> machine who have a need to be there (smtp and http are set up
> differently -- in /etc/hosts.allow, I've got an entry for sendmail
> that's "sendmail: all." You'll also want to close sendmail's vrfy and
> expd so people can't get the user name and try cracking the passwords.
>
> If you're logged on remotely, check "who" periodically to see if you
> have unexpected company. Check your http logs to see if anyone tried
> anything weird (there are some things that look weird that are just MS
> artifacts).
>
>
> TripWire will tell you if any files in your core directories have
> changed in the last 24 hours. Some of my files change automatically,
> but I didn't set up TripWire to skip them because I also use the time
> I'm logged in as root to check other things and getting the daily mail
> assures me that TripWire is still running. You can probably find
> programs that will mail you suspicious items out of your logs. This
> can be set to send them to your work address if you're not home.
>
> > Any help you can offer would be great. Thanks.
>
> If you've never done this before, start with RedHat 6.1 and all the
> recommended upgrades. You'll want two ethernet cards in the Linux
> box, one to the FlowPoint/sdsl modem, the other to a small hub for
> your Windows boxes, which will also need ethernet cards. I've never
> done a Samba installation; there are other people better informed
> on this than I am.
>
> --
> Rebecca Ore
> http://www.ogoense.net
>
> ______________________________________________________________________
> Philadelphia Linux Users Group - http://plug.nothinbut.net
> Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
> General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
>
>
> ______________________________________________________________________
> Philadelphia Linux Users Group - http://plug.nothinbut.net
> Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
> General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
>
______________________________________________________________________
Philadelphia Linux Users Group - http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
|
|