RE: Securing Fedora Core 4

From: Charles Heselton (charles.heselton_at_gmail.com)
Date: 09/23/05

  • Next message: Will Yonker: "RE: Securing Fedora Core 4" 
    To: "'Will Yonker'" <aragonx@dcsnow.com>
Date: Fri, 23 Sep 2005 09:37:16 -0700

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > -----Original Message-----
    > From: Will Yonker [mailto:aragonx@dcsnow.com]
    > Sent: Friday, September 23, 2005 9:11 AM
    > To: charles.heselton@gmail.com
    > Cc: focus-linux@securityfocus.com
    > Subject: RE: Securing Fedora Core 4
    >
    > <quote who="Charles Heselton">
    > > Like I said, they all provide the same outcome. They all are
    > > glorified wrappers for iptables, so they all have the same
    > > ultimate effect. I believe shorewall is a little more
    > > "low-level", and may provide more of the granularity that you are
    > > probably
    > looking for. I
    > > haven't used shorewall, so I can't say for sure. If that
    > one doesn't
    > > work out, I would recommend finding/writing a script (at least)
    > > to manage your iptables configuration. It makes for easy
    > management and
    > > configurability, and you also are less likely to "fat-finger"
    > > something. ;-)
    >
    > I guess I'm really afraid of missing something important when
    > creating my
    > own firewall, like some spammer domains and/or IP addresses I
    > don't know
    > about that I should block...

    Well, those kinds of things should be blocked at your gateway. It's
    much faster, and just as secure to handle this in a router's ACL,
    than it is on a per machine basis. This way, you only need to worry
    about configuring the host firewall for internal or "allowed"
    threats. I'm defining "allowed threats" as services that you allow
    through your firewall(s), i.e. DNS, HTTP, SMTP, etc.

    >
    > >> > 7. If you have another mail host for external mail
    > >> > (administrative messages and such), configure sendmail to only
    > >> > send mail internally (local system). You can configure spam
    > >> > assassin if you want, but unless you're actually transferring
    > >> > bulk mail, you don't really need it, nor the other 3 spam
    > >> > filters you listed.
    > >>
    > >> The hosts will receive email for the domain so spam filters
    > >> are required.
    > >
    > > So, every host will be an MTA?
    >
    > No but every Linux machine will. The client machines run Windows
    > XP. There are 3 offices at 3 different sites with 3 different
    > domain names...

    Gotcha. I guess I'm probably just missing the whole scope of what
    you're trying to do. So that makes things difficult to speculate
    accuracy. I wouldn't expect the clients to be on linux (yet). ;-)

    >
    > > Well, once you get the general gist down, you can break it up and
    > > simplify it into a checklist. Someone else mentioned that
    > > security is an attitude. This is true. It's a way of thinking
    > > about how you manage your systems. Identify your critical
    > > assets, i.e. what data are you trying to protect? Then, build
    > > your protection scheme from the inside out.
    >
    > I'm trying to achieve 2 things. Protect these servers from
    > hostiles on
    > the Internet and protect the users from themselves (spam and
    > content filtering). :(
    >

    Well, they are basically one and the same. While the users may be
    ignorant, despite attempts at training ;-), spam, phishing, malware,
    all comes from "hostiles on the Internet". The question is really
    (and you don't have to answer this - on list atleast :-) ), "what's
    your money maker?" Not wanting to get hacked, is not a critical
    asset. Webservers (containing a company's web presence), development
    images, money (if you're a bank), personal information of
    employees/customers, intellectual property.....these are all examples
    of things that you're trying to protect. Once you identify the
    systems that contain/manipulate/transfer that data, you can secure
    it more appropriately.

    - --
    - - Charlie
     
    5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF
     
     In memoriam: http://www.militarycity.com/valor/1029976.html

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQA/AwUBQzQvPHv40fZIKe3PEQKyNwCg1jYgUJ29cnfIVwBrZUJjiNZDXiUAnjMb
    ks9Fok+O/+ow4Yr60Maakeft
    =oqRm
    -----END PGP SIGNATURE-----

  • Next message: Will Yonker: "RE: Securing Fedora Core 4"

    Relevant Pages

    • Re: does iptables 100% safe for my LAN ?
      ... > iptables can protect you from outside (read from the internet) exploits. ... What exactly is different about the LAN interface that iptables ...
      (comp.os.linux.security)
    • Re: does iptables 100% safe for my LAN ?
      ... >> iptables can protect you from outside (read from the internet) exploits. ... The example you site is clearly mark "very simple firewall" but that is not ...
      (comp.os.linux.security)
    • Re: My words
      ... Internet Connection Firewall for SP1 and Windows Firewall for SP2 ... download all the security updates - Critical updates with Express ... Get into Safe Mode and password protect it. ...
      (microsoft.public.windowsxp.newusers)
    • My words
      ... There are some malwares that can destroy the internet connection ... download all the security updates - Critical updates with Express install. ... Get into Safe Mode and password protect it. ...
      (microsoft.public.windowsxp.newusers)
    • linux - iptable firewall DNS question
      ... When my firewall is active, i am unable to use name solving features from my ... iptables -P INPUT ACCEPT ... # $ipnet -> adresse ip de l'interface connectée à internet ... echo ACCES AU FIREWALL DEPUIS LOCAL ...
      (comp.security.firewalls)