Securing your Linux Box... was Re: warning in /var/log/messages

jlf@magusnet.gilbert.az.us jlf@magusnet.gilbert.az.us
Thu, 18 May 2000 06:36:27 -0700


See below.

It seems like on Wed, May 17, 2000 at 10:12:46PM -0700, Craig White scribbled:
Orig Msg> Jean Francois sent out a post to this message board a month or two ago that
Orig Msg> discussed this but of course, I deleted it a few days ago...
Orig Msg> 
Orig Msg> therefore - the best advice I could give would be to comment out all that
Orig Msg> you aren't certain that you need if the computer is exposed to the
Orig Msg> internet - specifically you should comment out...finger,
Orig Msg> rlogin/rshell/r-everything, auth, ftp, telnet, etc... anything that you need
Orig Msg> to run should be blocked from the external interface using ipchains - that
Orig Msg> is of course, unless you need to expose it then you better make sure that
Orig Msg> it's up to date, covered by tcp wrappers and pray   ;-)
Orig Msg> 


I read a really good security article a few days ago.
It described how firewalls and Internet connected systems
should be rated as safes are.
A safe is rated in the amount of time it would take a
professional safecracker to get into with certain tools.
I don't have the URL but it was something like 60CT meant
sixty minutes with crowbar and torch.
I think it came from Linux Today but I will double check.

Anyway, a firewall is the same kind of thing.
It cannot be designed to be inpenetrable. Nothing can!
It can be designed to hold an attacker at bay 
( think Great Firewall of China ) long enuff to be detected and handled
before a breach occurs.
If you don't have a firewall think of the systems connected as safes
and design them according to just how hard you want it to be to
have them get 0wn3d.
You might even want to consider single user mode while Internet connected
with your favorite Linux Box. Just how many of those peskey server
services do you need to download pr0n, warez, and mp3 files?

Internet connected systems don't need to be hobbled, just protected
from the malicious barbarian hordes.

Some things are sometimes better modified than removed.

See my complete firewall /etc/inetd.conf below:
======================================
auth   stream  tcp     nowait.32768    nobody    /usr/sbin/in.identd in.identd -l -e -o -i -n
cfinger	stream	tcp	nowait	root	/usr/sbin/tcpd	/bin/cat /home/frenchie/Mail/info
finger	stream	tcp	nowait	root	/usr/sbin/tcpd	/bin/cat /home/frenchie/Mail/info
ssh	stream  tcp 	nowait  root    /usr/sbin/tcpd /usr/local/sbin/sshd.new -i

Hax0rs when properly taunted will either go away or try
so hard as to start making stupid mistakes.
Thats is what you want, the frustrated Hax0r leaves a nice trail
of activity due to ego.
Remember security should be fun too :)

JLF Sends...
Behold, the Internet is the greatest sum of information at mankind's 
fingertips since the Library of Alexandria. Despite this vast storehouse
of knowledge at our disposal, there are still those that will send
urban legend and blatantly false information to mailing lists and
newsgroups without making even the slightest effort to check their 
legitimacy.  At every occurance this proves to me that every node,wire,
and server I help connect to the Internet to widen its expanse for 
the benefit of the masses is a complete waste of time.  ( J. Francois )