[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-newbie
Subject: Re: HowTo: Fortifying a internet connected Linux server?
From: Ray Olszewski <ray () comarre ! com>
Date: 2002-05-27 16:07:38
[Download RAW message or body]
At 03:30 PM 5/27/02 +0000, Richard Adams wrote:
>On Monday 27 May 2002 14:57, Ola Theander wrote:
> > Dear subscribers.
> >
> > I'm currently setting up a home network which will have a Linux box acting
> > as a gateway/firewall, connected to the Internet, for my internal network.
> > The gateway computer will also have servers for the following services:
> > HTTP, SMTP and DNS.
> >
> > My question is, is there any good documentation, books or on-line, about
> > how to setup and secure an Internet exposed Linux server? The server will
> > run SuSE Linux 8.0, kernel 2.4.18.
>
>My thought's, i expect Ray and Lawson will chip in as well.
Well ... as long as you asked ... this is a tough problem. These days, the
standard distros come out of the box pretty secure, for everyday purposes.
The usual advice here is --
1. Make sure the system is kept up to date with regard to security
patches, particularly patches for the apps that run the visible services
(e.g., apache, BIND, whatever SMTP package you will be using). If SuSE
doesn't have its own good security list (I bet it does, though), subscribe
to and read a general purpose one like bugtraq.
2. Install on the system only what it needs to provide the
services it will offer. In practice, this means no compilers or
interpreters, except ones needed for the services you will run (e.g., some
shell, and possibly perl for cgi scripts).
3. Minimize the number of user accounts on the system, and make
sure all of them, and root, have good passwords.
4. Limit the system's ability to access other systems on your LAN.
Ideally, you put a server on a separate subnet from your internal LAN, a
setup commonly called a DMZ.
5. Run intrusion-detection software. I'm not up to date on what is
available, but older packages here include tripwire, and portsentry.
6. Run a good firewall script. The best standard one I know of for
the 2.4.x kernel is Shorewall (probably shorewall.sourceforge.net, but a
standard search should find it if my memory is wrong). A good bespoke one
isn't hard to write, though (that's what we've done here).
Since you want to run these services on your router, rather than on a
separate workstation, some of this advice is impractical for you to follow.
That means you need to be especially vigilant about the parts you can
follow (like keeping the security patches up to date).
BTW, to handle a typical home Internet connection (1.5 Mbps or less
externally, no VPN software running on the router), a 486/40 with 16 MB
RAM, a tiny hard disk (even a floppy drive, if you use a specialized distro
like LEAF), and 2 or 3 10BaseT NICs is more than sufficient. If hardware
cost is what is keeping you from running a separate firewall/router, than
you might rethink the calculation if you have any "obsolete" equipment of
this sort lying about.
As to finding information on the Web ... I've seen stuff in the past, but
nothing new enough that it covers securing on a 2.4.x kernel. Probably
there is newer material, but I haven't researched this in some time. The
keyphrase you want to search on is "hardening Linux", and I'd expect
standard search engines to find the sorts of material you want (to the
extent that it exists) with that search string.
--
-----------------------------------------------"Never tell me the
odds!"--------------
Ray Olszewski -- Han Solo
Palo Alto, California, USA ray@comarre.com
-------------------------------------------------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic