|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Basic Post-Install Config?
|
I know some of the IP tables massochists will disagree but using a FW
router, like a linksys as you front-end, and ONLY opening up the ports you
want to serve is good security. You can also restrict all unused outbound
ports. I watch logs here constantly. The traffic logs, charts, graphs
supplied by WallWatcher (a windows program) that takes it's input from the
log output of the router. I do not have the telnet or ssh port opened. I
did have ssh opened but I was getting hits on it and even though I do not
allow root login it bothered me. Since I rarely if ever have occassion for
remote login outside of my intranet I leave it closed.
I have mail, web, POP, and domain servers running. They get 99.9% of the
outside traffic. The other spurious stuff I see are hits to port 137, 445,
and other extraneous stuff. They do not get thru anyway.
You also want to turn off outgoing ICMP and ident replies from your
router. No remote admin or login, only local. You basically want to make
it look like it is not there. I also setup /etc/hosts.allow and deny to
only allow connects from the POP ip's I serve.
There are a number of FW checkers you can run against yourself on the web.
You have to become a critical 'log watcher'
Doing this there is really no reason to run a Linux FW unless you need
some of the added flexibility it provides. Of course you still want to
only run necessary ports and observe general system and PW security.
Doug
****************************
* Doug Crompton *
* Richboro, PA 18954 *
* 215-431-6307 *
* *
* doug@crompton.com *
* http://www.crompton.com *
****************************
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|