Section 2.11 High Security Requires Minimum Services

Previous page
Table of content
Next page
   

2.11 High Security Requires Minimum Services

For high security, many experts recommend having a firewall and configuring it to allow only SSH (TCP port 22) in or out of your main site, besides the services that you offer to the Internet, such as e-mail and http. (If you have a single Linux system, you still can apply the firewall rules to it. This is an excellent idea so that crackers from unauthorized systems do not get a chance to try to find vulnerabilities in your programs.)

Typically you would have your first Ethernet card (eth0) connected to the Internet and your second Ethernet card (eth1) connected to your internal LAN, if any, as appears in this example. See "Upgrade SSH" on page 112 to ensure that you do not have an insecure version of SSH that has a known buffer overflow security hole.

In your boot-up sequence you would have the following command issued.

 
 ipchains -A input -p tcp -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 22

If you have hardened sendmail on whatever systems will receive e-mail with it, you could add sendmail's SMTP TCP port 25 as follows:

 
 ipchains -A input -p tcp -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 25

Sendmail can be configured to run as a user other than root, using set-GID to mail; this will reduce your security risks greatly. (The type of obscure limitations that this would impose is that you cannot use an alias in /etc/aliases to execute a program as root. Few people use this feature.)

If your firewall system will also be offering services to your internal network that you do not want to offer to the Internet, care must be taken to ensure that these services are not accessible from the Internet. These services may include Samba, AppleTalk, NFS, or an internal Web server. They may be blocked with the use of IP Tables rules or by configuring the servers to bind only to the interface connected to the internal network. The former is discussed in "Firewalls with IP Chains and DMZ" on page 514. The latter is discussed in "Limiting Server Interfaces" on page 72.

       
    Top

    Previous page
    Table of content
    Next page
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    ISBN: N/A
    EAN: N/A
    Year: 2002
    Pages: 260
    BUY ON AMAZON
    Inside Network Security Assessment: Guarding Your IT Infrastructure
    Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
    A+ Fast Pass
    Systematic Software Testing (Artech House Computer Library)
    MySQL Cookbook
    Junos Cookbook (Cookbooks (OReilly))
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy