RE: Securing Fedora Core 4
From: Charles Heselton (charles.heselton_at_gmail.com)
To: "'Will Yonker'" <email@example.com> Date: Fri, 23 Sep 2005 09:37:16 -0700
-----BEGIN PGP SIGNED MESSAGE-----
> -----Original Message-----
> From: Will Yonker [mailto:firstname.lastname@example.org]
> Sent: Friday, September 23, 2005 9:11 AM
> To: email@example.com
> Cc: firstname.lastname@example.org
> Subject: RE: Securing Fedora Core 4
> <quote who="Charles Heselton">
> > Like I said, they all provide the same outcome. They all are
> > glorified wrappers for iptables, so they all have the same
> > ultimate effect. I believe shorewall is a little more
> > "low-level", and may provide more of the granularity that you are
> > probably
> looking for. I
> > haven't used shorewall, so I can't say for sure. If that
> one doesn't
> > work out, I would recommend finding/writing a script (at least)
> > to manage your iptables configuration. It makes for easy
> management and
> > configurability, and you also are less likely to "fat-finger"
> > something. ;-)
> I guess I'm really afraid of missing something important when
> creating my
> own firewall, like some spammer domains and/or IP addresses I
> don't know
> about that I should block...
Well, those kinds of things should be blocked at your gateway. It's
much faster, and just as secure to handle this in a router's ACL,
than it is on a per machine basis. This way, you only need to worry
about configuring the host firewall for internal or "allowed"
threats. I'm defining "allowed threats" as services that you allow
through your firewall(s), i.e. DNS, HTTP, SMTP, etc.
> >> > 7. If you have another mail host for external mail
> >> > (administrative messages and such), configure sendmail to only
> >> > send mail internally (local system). You can configure spam
> >> > assassin if you want, but unless you're actually transferring
> >> > bulk mail, you don't really need it, nor the other 3 spam
> >> > filters you listed.
> >> The hosts will receive email for the domain so spam filters
> >> are required.
> > So, every host will be an MTA?
> No but every Linux machine will. The client machines run Windows
> XP. There are 3 offices at 3 different sites with 3 different
> domain names...
Gotcha. I guess I'm probably just missing the whole scope of what
you're trying to do. So that makes things difficult to speculate
accuracy. I wouldn't expect the clients to be on linux (yet). ;-)
> > Well, once you get the general gist down, you can break it up and
> > simplify it into a checklist. Someone else mentioned that
> > security is an attitude. This is true. It's a way of thinking
> > about how you manage your systems. Identify your critical
> > assets, i.e. what data are you trying to protect? Then, build
> > your protection scheme from the inside out.
> I'm trying to achieve 2 things. Protect these servers from
> hostiles on
> the Internet and protect the users from themselves (spam and
> content filtering). :(
Well, they are basically one and the same. While the users may be
ignorant, despite attempts at training ;-), spam, phishing, malware,
all comes from "hostiles on the Internet". The question is really
(and you don't have to answer this - on list atleast :-) ), "what's
your money maker?" Not wanting to get hacked, is not a critical
asset. Webservers (containing a company's web presence), development
images, money (if you're a bank), personal information of
employees/customers, intellectual property.....these are all examples
of things that you're trying to protect. Once you identify the
systems that contain/manipulate/transfer that data, you can secure
it more appropriately.
- - Charlie
5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF
In memoriam: http://www.militarycity.com/valor/1029976.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
-----END PGP SIGNATURE-----