|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: security tips - Re: [PLUG] serving webpages from home
|
use iptables or ipchains to drop every packet that is not necessary from
the outside.
Apache uses port 80
smtp 25
these art the two ports that you do not need to drop from the Internet
if you are running your own mail and web server. Also, removing a line
in /etc/services just removes the port name but not the port. an nmap
scan with -p 1- will scan all 65000 ports. If you want to login through
ssh use port 22. When setting up iptables drop every new connection
excpt what is absolutely necessary
Darxus@chaosreigns.com wrote:
>
> On 03/04, Jon Galt wrote:
> > My ISP is Earthlink, and each person I have asked there says it is ok. My
> > DNS entry has been fixed, and I can access mulliganvalley.org from outside
> > my LAN. There's nothing there except a simple test file.
>
> I can get there too.
>
> > If anybody has any security tips, I'm all ears.
>
> Lots.
>
> * Portscan your box (probably with nmap) and verify that there are no ports
> open that you do not need open. If you do not know why a port is open,
> close it. Removing a port from /etc/services *may* work, but it is the
> *wrong* way.
> * Make sure that at least the software you have listening on open ports is
> updated religeously. You want to minimize the time between new exploits
> being found and you upgrading to avoid them being used against you. I
> upgrade all software on all of my linux boxes about daily (with
> the command "apt-get update;apt-get dist-upgrade" under debian).
> * Google.com search for linux security, subscribe to a few mailing lists
> that announce new security holes in things, especially one that is
> specific to your linux distribution. Read everything.
>
> These tips all (basically) apply to all operating systems.
>
> Security is a balance between making it prohibitively difficult for
> intruders to access your system, and acceptably convenient for you to
> access your system.
>
> "...to fully secure a system, you really have to grind it into dust,
> scatter the pieces to the wind, and hope that Entropy does [its]
> part. Since you can't do this, you make tradeoffs." -Jay Beale
>
> If you can get in, an attacker can too. You need to find a balance that
> you're comfortable with.
>
> Do not ever use telnet or ftp. They transmit your username and password
> in cleartext - unencrypted and easily sniffable. Uninstalling any
> telnet or ftp server applications is a good idea, and many of us do.
> Use ssh and scp (or anything else encrypted that you like) instead. If you
> need to access your box from a windows machine, I suggest putty (GPLed
> windows ssh client, google.com search for it).
>
> A good step to take is to remove all software that you don't need. Any
> program that is on the system is another possible security vulnerability.
>
> Do all of this and you will be much better off than most.
>
> --
> "If you are not paranoid... you may not be paying attention."
> - jimh@creative-net.net, on an IDPA mailing list
> http://www.ChaosReigns.com
>
> ------------------------------------------------------------------------
> Part 1.2Type: application/pgp-signature
--
Rev. LeRoy D. Cressy mailto:lcressy@telocity.com /\_/\
http://www.netaxs.com/~ldc ( o.o )
Phone: 215-535-4037 > ^ <
Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|