Next message: A.Khan: "Re: [LUNI] Security issues without firewall"
Ken Beach wrote:
>
> On Wed, Mar 07, 2001 at 09:10:32PM -0800, chamster wrote:
> >
> >
> > I'm paying more attention to securing my Linux system in hopes of one day
> > getting high-speed access (#$%!!) and setting up a firewall. However,
> > until then, I'm trying to wrap my mind around my current setup and its
> > security ramifications which hopefully somebody can help me on...
> >
> > I've got a Linux router acting a NAT (for the modem dialup) and proxy
> > server (via squid) for a small LAN, but it also acts as the LAN's
> > file/print server using Netatalk and Samba. Since I'm on a dial-up
> > connection, I'm not exactly prime real estate for crackers, but that
> > didn't stop a script-kiddie from trying an outdated buffer overflow attack
> > on a weekly basis.
> >
>
> Normally, I advocate keeping the firewall as a single function machine. Every service you run opens you up to possible compromise.
>
> Now, if for some reason you are forced to use your firewall as a multipurpose server, I would use ipchains to block external access to the vulnerable services.
>
> I believe samba uses ports 137-140, but I'd have to look that up to double check.
>
> One way to do that with ipchains is:
> /sbin/ipchains -A input -p tcp --destination-port 137:140 -j DENY -l -i ppp0
>
> this assumes you are blocking ports 137 to 140 and your external adapter is ppp0 and logs any attempt to connect to one of those ports.
>
> This should allow you to access these ports from the inside, but should deny access from the outside.
>
> Hope this helps!
For a fairly basic, easy to use set of ipchains scripts, use
pmfirewall. It's not the end-all-be-all but for securing the "outside"
while leaving the "inside" open it is very effective. You answer a few
basic questions- "Are you running a POP3 server?" and it produces the
ipchains rules for you.
trent
-=-
Linux Users Of Northern Illinois: General Discussion Mailing list.
For unsubscription, archives, and announcements only see http://luni.org
This archive was generated by hypermail 2b29
: Thu Mar 08 2001 - 12:07:45 CST