Story boss,
Well you do get SOME protection from the ISP side, and you can only be
scanned and hacked for the time you spend online. As soon as you disconnect,
then you will ge given another IP, so the hacker will have to try again.
Private IP's are therefore safe. Because if you NAT or masq, your IP of the
desktop that you use will be hidden anyway.
So private IP's = Safe as houses I would say.
Here is my configuration. (not exact but from me head)
Firewall (currently smoothwall, nice and easy to setup, but RTFM as the
developpers are touchy - which is understandable)
This box has Two nics and an ISDN adaptor - or will tonight coz I just
bought one that works with linux.
Anyway, The green interface is you private lan which is, naturally, inside
the DMZ or demilitarised zone if you wan't to be cool. Then the orange
interface is for your http/internet traffic to the DMZ, and the RED is you
connection 0 i.e. the ISDN/modem dial-up to the ISP.
My cfg
Green IP : 192.168.0.1 (or something) Private LAN
Orange IP : 192.168.1.1 - Internet traffic from RED
Red IP : 16.209.45.68 or whatever the ISP assigns to you.
All the ports are closed except the obvious!
Immediately behind this is my Proxy server - Squid on a Dual Celery, it also
runs samba and maybe a mail server ala Donnacha's brilliant contribution -
That'll be a tenner Donnacha!
Now the proxy is stripped down, no x-server anymore, just the essentials
with a dedicated 6GIG cache. The kernel has been recompiled to be tiny and
is only accessible over SSH from a desktop in the DMZ
IP address of NIC is - I think - bit thicker than usual today - 192.168.0.2.
I did have another NIC but it blew up, anyway its not necessary.
All the IP's of the desktops are done through DHCP, likewise for DNS.
Everything is super fast and I;m very happy with the setup.
Smoothwall has superb logging facilities but I also use SNORT for intrusion
detection.
So as Gerry Springer says, its time for the final thought....
Get a firewall quick sharp, On average with my DIALUP MODEM!!!! I received
35 attempted hacks in 12 Hours or something, it all depends, some days there
are none. But even in 2 hours, you CAN be hacked. Don't rely on your ISP for
protection.
Close the non-esential ports, update DNS - due to security bugs in older
versions. Don;t run an x-server on the firewall or proxy servers.
I am only learning about security and its taking longer than I thought :(
Check out the smoothwall PDF's on their site, they are very informative.
Ciao Bello, I hope this has been of some use and not a load of shite :)
CW
---------------------
This is already nicely OT and may allow me to raise the following...
How secure is an ISDN dial-on-demand router, getting a (random) IP address
each time from the ISP, with only "private" 192.168.1.X addresses behind it?
I am probably googling with the wrong phrases, but I cannot find anything
useful on this.
To help this keep some......
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
