From: Ronan Waide (waider at domain waider.ie)
Date: Sun 07 Jul 2002 - 21:50:12 IST
On June 19, kevin at domain ie.suberic.net said:
> first, the following is how i set up the network security on my 7.3 box.
> not sure if this is the best way to do it - particularly in light of
> the problems i describe later on. comments?
Yes, almost a month later, your cow orker replies. Jeez. Slow email in
these parts, or something. Anyway. To set up my own internet-facing
box to my satisfaction, I did this:
1. Log into something out in the real world and portscan my box.
2. Find out what the services are that I don't need/recognize, kill
3. Configure the services that I do need to not listen on the
Internet-side interface (i.e. ppp0), unless they're specifically
needed there. Anything that can't be so configured is configured to
require authentication and/or require access only from my internal
network . Anything that STILL can't be configured according to
any of these options, I figure out if I really really need it,
discover that I don't, and can the service in question.
That pretty much covered me and my little dialup server. I don't have
any ipchains or iptable or ipwotsit rules; I occasionally hang a
tcpdump process off the ppp interface to see what's keeping it up and
running (you'd be surprised. I had to phone an office in the UK to ask
them to stop their GRE tunnel from trying to connect to my
server. /they/ were pretty surprised.) and I occasionally run
honeypots for things like NIMDA (more of a venus flytrap. It calls
back on the incoming connection and attempts to use the nimda
infection to disable the server in question). My main reason for not
using ipchains/iptables is that I don't want to find that my server is
hanging its arse out in the breeze because I forgot to enable the
Comments on this approach would also be appreciated.
Waider. Oh, I do use iptables. I have to NAT the eth network out through ppp0.
 This always reminds me of the should-have-been-Steven-Wright line,
"I got an internal modem fitted, now it hurts when I walk"
-- waider at domain waider.ie / Yes, it /is/ very personal of me. "this is wonky. i am using pentium based linux system to make a 68000 executable with the source and .o and smbfs mounted dir from an NT server and the includes from a NFS server" - Jonathan Vail
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:43 GMT