March Meeting Presentations

John (EBo) David plug-discuss@lists.plug.phoenix.az.us
Mon, 11 Mar 2002 22:08:35 -0700 

George Toft wrote:
> 
> What caught my attention was it was running KDE, implying runlevel 5.
> No need to have gpm running in runlevel 5.  

true, but I do not boot directly into that x-login interface.  I have it
come up text mode and then I start X iff I want to (which is most of the
time, but not always).  The base configuration for text IIRC starts up
GPM.  But regardless of wanting the mouse up for text mode it should be
noted that this is the default configuration for RH.  SuSE, IIRC, was
the same, and I thought it was required.

> Yes it was minor, but
> so is having the iPlanet splash page on a URL in a corporation. 

;-)

> It
> is not a problem per se, but indicates a lack of attention in the
> configuration of a machine, which makes it an easier target.

point taken.

> Next was portmapper and sendmail.  Having sendmail indicates this is
> a mail server.  I shy away from having portmapper (or any r* services)
> on any server w/o a good firewall or two between it and the Internet.

If I have things configured correctly, only local email is handled, and
is forwarded through a sperate email server proper.  And I must admit
that once I got all of the local trafic forwarding working correctly
that I have not done much else to it.  But IIRC if you send an email
from a terminal in comandline mode, then it needs sendmail up for it. 
If this is not the case I will gladly remove it from the
process/services.

> My philosophy is that no machine should rely soly upon a firewall for
> protection - they should be able to stand alone for a short period
> of time in case the firewall is compromised.  You do have an Intrusion
> Detection System on your firewall, right? 

Well, I do not know.  I can only go by what the network admins tell me,
and I have no controll...  Maybe I should explain a couple of details. 
While this is my personal machine (one of about 6), it is sitting on my
desk at work at ASU.  I had this machine configured and built
specifically so I would have a decient machine when I cam back to grad
school.  I never assume that a department focusing on ecology are going
to have much more than a PII-Win98 box.  So,...

The building supposidly has it's own firewall, and so does the major in
and out of the U.  The quality of the security is open to debate, but
seems to be reasonable most of the time -- though do NOT talk to them
about running Solaris (it's a sore spot).  So, do they have an intrusion
detection firewall - I think so, but I have no details, and less
controll.

> IMHO, those $100 appliances
> that Linksys sells are good for the average home user, but for us
> more informed Linux weenies, we should set up a better firewall that
> includes an IDS.  

agreed, and I seriously thought of setting up my own machine and
firewall -- that gave the netadmins I talked to a case of
constapation...

> Another opinion: no workstation should accept
> traffic sent to it unless that traffic is a response to something it
> initiated.  

or possibly trusted piers like the automated network backup system, or
COW's

> Third opinion: no production server whould be used as a
> workstation.

I have 1 high end machine at this point that I use for development. 
That includes CGI scripting, parallel/distributed software development,
and just plainly reading my email ;-)  So, no this is not a production
server, but brings up/down services when needed...

  EBo --