[prev in list] [next in list] [prev in thread] [next in thread] 

List:       suse-security
Subject:    Re: [suse-security] how to protect?
From:       Robert Davies <rob_davies () ntlworld ! com>
Date:       2003-03-10 10:28:51
[Download RAW message or body]

On Sunday 09 March 2003 17:29, Michael  Hoeller wrote:
> Hello David, hello Matthias, hello list,
>
> Davids your sugguestions "sound" good to my newbie ears I have reposted it
> with my remarks. Sorry this got a little bit too long but to cut off your

I'm a bit concerned that for a newbie, the answers coming back are along the 
lines of everything that is possible to do, to make for a very secure 
installation, rather than what Michael orginally asked, which was, what he 
"really needed to do".

Michael you you need to balance the risks, and decide on the right 
cost/benefit tradeoff.  Actually reaping the low hanging fruit, will bring 
most of the beneftis fairly simply and easily.

So let's look at the question again :

On Sunday 09 March 2003 09:46, Michael  Hoeller wrote:
> Here is the problem, I need to runn a productive server SuSE 8.0 to which
> some real terminals are connected (-> no harddrive) the terminals boot via
> tfpt and mount the certain drives via nfs. For "online"backups I run rsync.
> The server must be reachable for remote maintenance via isdn dialin, also
> telnet and ftp. The temporary connects to the internet for surfing and
> email should also be possible.
>
> What would you suggest to protect the machine? It would be great if you
> could point me to the right direction that way I can focus on the things
> which are really needed.

Can you explain more about how those machines connect to the Internet, is it 
permanently on or via dialup?   (If it's dialup then you might be able to 
take advantage of the /etc/ppp/ip-{up,down}.local scripts).  Is the access 
via ISDN dialin, also the line used for 'temporary connects' to the net?

The time and effort to spend on securing that network, depends on balancing 
the risks, and the amount of time you're able to put in on configuration and 
administration.  There's not a lot of point in setting up Intrusion or Scan 
detection systems for that network, if it's on dialup, connected just a few 
hours a week, and you're not going to have time to monitor the IDS or 
scanner's output anyway.

What is clear is :

0) Read Nix's Security FAQ at http://www.susesecurity.com/
1)  Check what services you are offering on the Internet connected machine
     (netstat -lp)
2)  Set up an appropriate firewall, that only permits the UDP and TCP/IP 
client connections to things that are *required*.
3)  Set up a cron job to ensure either YaST Online Update (or fou4s) runs and 
applies security fixes.
4)  Use ssh(1), scp(1), sftp(1) or rsync -essh   (rsync '-essh -c blowfish' 
will save CPU time on large transfers).

Rob

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here

[prev in list] [next in list] [prev in thread] [next in thread]