Re: [LUG] Re: Security

[kevin bailey <kev.bailey@xxxxxxxxxxx>]

agree with previous postings...

IMO the best principle with ipchains/iptables is to deny everything 
first and log what is being rejected - then if something is not working 
(secure websites etc) you can see what was rejected and then put in a 
rule to allow those packets through - eventually you will have a set of 
rules which allow stuff through for what you need.

shutdown all uneccessary services.  if you are dialling up and just 
browsing etc make sure you are not offering ftp, telnet, httpd services etc.

kev



Theo Zourzouvillys wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thursday 20 June 2002 10:23 pm, Ian P. Christian wrote:
>
>
> > apt-get install iptables
> > and
> > http://monmotha.mplug.org/firewall/index.php.
>
>
> personally i use:
>
>  apt-get install iptables
>  .. create your iptables rules ...
>  /etc/init.d/iptables save_active
>
> and it wil lsave and restore on reboot.
>
>
> > > But come on, be serious folks. No cracker will be interested in a dial
> > > up system. It would take too long to check it if you have
> > > anything worth
> > > looking at. For a machine you keep on all the time on DSL,
> > > well thats a
> > > different story.
> >
> > I had a dialup machine rooted twice, and that was *after* securing.
>
>
> like simon said (no pun intended!), nearly all hacks are automated, so it 
> makes no difference really. once a box is compromised (even via a user 
> account), it can be used to launch dos attacks.  most dDoS attacks launched 
> on ISP's are from 56k dial-up accounts, a few thosand windows boxes all 
> sending stupid packets at a router can do all sorts of wonders for lag ;p
>
>
> > For the sake of people editing /etc/inetd.conf, I really think people
> > should spend atleast 10 minutes turning services off.
>
>
> the *very* first thign i do on a debian box is:
>
>  update-rc.d -f portmap remove
>  update-rc.d -f inetd remove
>
> i don't like inetd, for some odd reason. it's a personal thing, It just 
> doesn't seem natural :p 
>
> portmap is a very very silly thign to leave open to the internet.
>
> my firewall has all ports short of ssh and imap closed.
>
> ~ Theo
>
> - -- 
>
> Theo Zourzouvillys
>  http://zozo.org.uk/
>
> Today is the tomorrow you worried about yesterday.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
>
> iD8DBQE9EnT7448CrwpTn6YRAiZWAJ0a86w5V8olwN9EKYFUNYuGRC4UjgCguwec
> meGra+TsANsy4ffshTRMGVs=
> =7Jix
> -----END PGP SIGNATURE-----
>
>
> --
> The Mailing List for the Devon & Cornwall LUG
> Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
> message body to unsubscribe.



--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.