RE: Securing Fedora Core 4

From: Will Yonker (aragonx_at_dcsnow.com)
Date: 09/23/05

  • Next message: AragonX: "Re: Securing Fedora Core 4" 
    Date: Fri, 23 Sep 2005 08:33:56 -0400 (EDT)
To: focus-linux@securityfocus.com

    <quote who="Charles Heselton">

    > 4. Set up your firewall. I like firestarter (should come with FC4).
    > Other people like shorewall. Ultimately, it's the same outcome.

    I wasn't fond of the way Firestarter worked at all. I'll take a close
    look at Shorewall. I was really worried about rolling my own firewall but
    didn't like Firestarter or the standard Fedora one.

    > 5. Install/configure Bastille (this sort of overlaps some things,
    > but can also affect installation of others, so it might be a good
    > idea to do it early. SELinux might be better here, but I think
    > SELinux depends on some of the kernel hooks and such. The two have
    > really meshed over time, and I haven't folowed it that closely.

    I abandoned my attempts at getting SELinux working quite the way I like.
    I installed LIDS and really liked the way it worked. The ACLs are easy to
    understand and just as easy to configure. My major problem with LIDS is
    it doesn't like BIND. There are things that SELinux does that LIDS
    doesn't but I can live with that.

    > 7. If you have another mail host for external mail (adminitrative
    > messages and such), configure sendmail to only send mail internally
    > (local system). You can configure spam assassin if you want, but
    > unless you're actually transferring bulk mail, you don't really need
    > it, nor the other 3 spam filters you listed.

    The hosts will receive email for the domain so spam filters are required.
    Some of our users are really dumb about what sites they go to. Their
    email addresses seem to get harvested every time we change them... User
    education has not worked so we will block some sites with
    Dansguardian/squid + some plugins. I doubt this will solve the problem
    totally, so all the spam filters...

    I've tried Spamassassin by itself but it doesn't get a lot of spam without
    a WHOLE lot of tweaking. Simply lowering the number just blocks valid
    email. lol

    > 9. Now configure tripwire (or aide).
    >
    > It's tough to try to generalize this into a concise format. If you
    > have a large enough environment to warrant specific purpose hosts,
    > you should do that. It will allow you to be much more specific about
    > your security measures, and will provide much less headache in
    > regards to management.

    I took this from a spread***. I really was trying to keep the wording
    down to a check list format so I could check them off as I did them. It's
    hard to put very much information in the space I left myself. lol

    Thank you for the tips.

  • Next message: AragonX: "Re: Securing Fedora Core 4"