gateway security?
From: Eric Timme (timothy@voidnet.com)
Date: 12/09/02
- Next message: Mike Hoskins: "Re: gateway security?"
- Previous message: Patrick Fish: "Re: psybnc and IRC hack"
- Next in thread: Mike Hoskins: "Re: gateway security?"
- Reply: Mike Hoskins: "Re: gateway security?"
- Reply: Stephan Eckner: "Re: gateway security?"
- Maybe reply: Duncan Campbell: "Re: gateway security?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Eric Timme <timothy@voidnet.com> To: freebsd-security@freebsd.org Date: Mon, 9 Dec 2002 13:17:15 -0600
Hi everyone, I was wondering if someone could point me in the direction of
some discussions of general security in a LAN environment with a FreeBSD
machine doing NAT/firewalling? I haven't had a ton of luck browsing the
archives and finding any discussions. I've read over the general primer, but
would like to read about some actual deployment of security when your
headless gateway sits in a dark closet, accumulating dust.
Currently I have a pretty restrictive set of firewall rules in place, allowing
only http and ssh traffic from the outside, and I require DES public/private
keys for ssh access. There is a single user account on the gateway, and root
logins are disallowed from all but console. The gateway is doing a single
NFS export of my public_html directory for easy access from an internal
FreeBSD gateway.
As for current security, it is a little lacking, but I am planning to wipe and
reinstall now that winter break affords me some freedom from schoolwork. I
have the following settings in my partitioning scheme (ad0 is 1.5 gig, and
with this partitioning scheme I just barely fit, and use ad1 for additional
space), and use secure level 2 for daily operations.
/dev/ad0s1a / rw,nosuid
/dev/ad0s1e /tmp rw,noexec,nosuid
/dev/ad0s1g /usr ro
/dev/ad1s1e /usr/obj ro
/dev/ad0s1d /usr/home rw,noexec,nosuid
/dev/ad1s2e /usr/home/timothy/public_html rw,nosuid
/dev/ad0s1h /usr/local ro,nosuid
/dev/ad0s1f /var rw,noexec,nosuid
I've been using snort with a remote acid installation with alright success,
but it has never quite worked right, and am considering junking it, simply
because I don't see a lot of other people using it, and it has only been of
marginal success, spending more time picking up proxy scans from IRC and
false positives than anything else.
I'm planning to deploy aide with a write protected diskette, but would like
some advice as to other products to look into; I don't access the machine
regularly, aside from the NFS mount of my public_html directory, so would
like to find something that could email me status updates daily, or bi-daily,
ala the daily messages, which I currently forward to myself, to help reassure
me nobody is poking around in it.
Thanks for any pointers you can give me.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Mike Hoskins: "Re: gateway security?"
- Previous message: Patrick Fish: "Re: psybnc and IRC hack"
- Next in thread: Mike Hoskins: "Re: gateway security?"
- Reply: Mike Hoskins: "Re: gateway security?"
- Reply: Stephan Eckner: "Re: gateway security?"
- Maybe reply: Duncan Campbell: "Re: gateway security?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
