See below. It seems like on Wed, May 17, 2000 at 10:12:46PM -0700, Craig White scribbled: Orig Msg> Jean Francois sent out a post to this message board a month or two ago that Orig Msg> discussed this but of course, I deleted it a few days ago... Orig Msg> Orig Msg> therefore - the best advice I could give would be to comment out all that Orig Msg> you aren't certain that you need if the computer is exposed to the Orig Msg> internet - specifically you should comment out...finger, Orig Msg> rlogin/rshell/r-everything, auth, ftp, telnet, etc... anything that you need Orig Msg> to run should be blocked from the external interface using ipchains - that Orig Msg> is of course, unless you need to expose it then you better make sure that Orig Msg> it's up to date, covered by tcp wrappers and pray ;-) Orig Msg> I read a really good security article a few days ago. It described how firewalls and Internet connected systems should be rated as safes are. A safe is rated in the amount of time it would take a professional safecracker to get into with certain tools. I don't have the URL but it was something like 60CT meant sixty minutes with crowbar and torch. I think it came from Linux Today but I will double check. Anyway, a firewall is the same kind of thing. It cannot be designed to be inpenetrable. Nothing can! It can be designed to hold an attacker at bay ( think Great Firewall of China ) long enuff to be detected and handled before a breach occurs. If you don't have a firewall think of the systems connected as safes and design them according to just how hard you want it to be to have them get 0wn3d. You might even want to consider single user mode while Internet connected with your favorite Linux Box. Just how many of those peskey server services do you need to download pr0n, warez, and mp3 files? Internet connected systems don't need to be hobbled, just protected from the malicious barbarian hordes. Some things are sometimes better modified than removed. See my complete firewall /etc/inetd.conf below: ====================================== auth stream tcp nowait.32768 nobody /usr/sbin/in.identd in.identd -l -e -o -i -n cfinger stream tcp nowait root /usr/sbin/tcpd /bin/cat /home/frenchie/Mail/info finger stream tcp nowait root /usr/sbin/tcpd /bin/cat /home/frenchie/Mail/info ssh stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/sshd.new -i Hax0rs when properly taunted will either go away or try so hard as to start making stupid mistakes. Thats is what you want, the frustrated Hax0r leaves a nice trail of activity due to ego. Remember security should be fun too :) JLF Sends... Behold, the Internet is the greatest sum of information at mankind's fingertips since the Library of Alexandria. Despite this vast storehouse of knowledge at our disposal, there are still those that will send urban legend and blatantly false information to mailing lists and newsgroups without making even the slightest effort to check their legitimacy. At every occurance this proves to me that every node,wire, and server I help connect to the Internet to widen its expanse for the benefit of the masses is a complete waste of time. ( J. Francois )