Darxus on Mon, 4 Mar 2002 21:50:01 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

security tips - Re: [PLUG] serving webpages from home 

On 03/04, Jon Galt wrote:
> My ISP is Earthlink, and each person I have asked there says it is ok.  My
> DNS entry has been fixed, and I can access mulliganvalley.org from outside
> my LAN.  There's nothing there except a simple test file.

I can get there too.

> If anybody has any security tips, I'm all ears.

Lots.  

* Portscan your box (probably with nmap) and verify that there are no ports
  open that you do not need open.  If you do not know why a port is open,
  close it. Removing a port from /etc/services *may* work, but it is the
  *wrong* way.
* Make sure that at least the software you have listening on open ports is
  updated religeously.  You want to minimize the time between new exploits
  being found and you upgrading to avoid them being used against you.  I
  upgrade all software on all of my linux boxes about daily (with
  the command "apt-get update;apt-get dist-upgrade" under debian).
* Google.com search for linux security, subscribe to a few mailing lists
  that announce new security holes in things, especially one that is
  specific to your linux distribution.  Read everything.

These tips all (basically) apply to all operating systems.

Security is a balance between making it prohibitively difficult for
intruders to access your system, and acceptably convenient for you to
access your system.

"...to fully secure a system, you really have to grind it into dust,
scatter the pieces to the wind, and hope that Entropy does [its]
part. Since you can't do this, you make tradeoffs." -Jay Beale

If you can get in, an attacker can too.  You need to find a balance that
you're comfortable with.  

Do not ever use telnet or ftp.  They transmit your username and password
in cleartext - unencrypted and easily sniffable.  Uninstalling any
telnet or ftp server applications is a good idea, and many of us do.
Use ssh and scp (or anything else encrypted that you like) instead.  If you
need to access your box from a windows machine, I suggest putty (GPLed
windows ssh client, google.com search for it).

A good step to take is to remove all software that you don't need.  Any
program that is on the system is another possible security vulnerability.

Do all of this and you will be much better off than most.

-- 
"If you are not paranoid... you may not be paying attention."
 - jimh@creative-net.net, on an IDPA mailing list
http://www.ChaosReigns.com

Attachment: pgpO3KggqmuMw.pgp
Description: PGP signature