Re: Feedback solicited - best way to harden a mail/web server?

• Previous message: Erik Ljungström: "Re: version"
• In reply to: Jared H.: "Feedback solicited - best way to harden a mail/web server?"
• Next in thread: Jared: "Re: Feedback solicited - best way to harden a mail/web server?"
• Reply: Jared: "Re: Feedback solicited - best way to harden a mail/web server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: /dev/rob0 <rob0@gmx.co.uk>
Date: Thu, 26 Dec 2002 19:55:57 -0800

Jared H. wrote:
> I've been rootkitted again; third time in the last six months. Advice

Wow. That's awful.

> I have an old laptop that I can stick in front of the cable modem as a
> dedicated firewall/gateway. While it's only a 233MHz Pentium MMX, it has
> 144 MB of RAM and a 6GB disk, so I figure I can run Mandrake MNF or
> Trustix or Embedix or whatever else I need to.

*Way* overkill for the job. I use a 386 with 8MB (Slackware 8.1). With a
little tweaking (increase ip_conntrack_max to 1024) it seems to handle a
cable modem easily. Its 300MB hard drive is less than 1/3 full.

> What distro to use next? Surveying what was out there, Mandrake's MNF

I'm partial to Slackware, but I believe any distro can be secured, at
least against known exploits.

> Should I dedicate the old laptop to be a pure fw/gateway? - bearing in
> mind that with two NICS maximum, I can't set up a DMZ.

I think a dedicated firewall machine is a good idea. I don't think a DMZ
is that important for a typical home network. You can make a virtual DMZ
in numerous ways, such as by creative subnetting (put the DMZ machine on
192.168.0.129 and the protected machines on .2-.126 with 25-bit netmasks
and the firewall at .1 with a 24-bit netmask; make sure the protected
machines have no route to the DMZ.)

> Even if I scratch up the bucks for a desktop to make a three-NIC gateway

Bucks? Just dive in a dumpster. :)

> (putting mail/web on a DMZ), how is that more secure? Break into the
> firewall machine and one can see everything the firewall can.

So restrict what can be done from the firewall machine. Run firewalls on
the inside machines if you're that worried about it.

> Would a dedicated fw/router appliance be more secure (I can't afford Cisco
> grade here - we're talking something like a Netgear or SMC or Linksys)?

Those companies would say so. :) But I doubt it. It's really the same
thing, just another software-based router. The difference is that with a
Linux router you know exactly what it is. If a vulnerability is reported
you can be fairly confident it will be fixed very soon.

> Assuming the intruder broke into Postfix (port 25) or Apache (port 443) or

Assuming? Didn't you find out where the breakin occurred? I'd want to
know, if I were you.

> bind (port 53), would chrooting have done anything to minimize damage by a
> Trojan?

That's a hypothetical question which only deserves a "probably so"
answer. :)

> really worth it for a home LAN? The only sensitive info is financial, and

Only you can decide the value. It's hard for me to imagine how/why a
home system is such a target as yours has been. Sure, there are script
kiddies out there scanning for known exploits, but if you keep up on
your security updates they shouldn't find any of those.

Good luck!

-- 
  /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
  or put "not-spam" or "/dev/rob0" in Subject header to reply

• Next message: root: "history files"
• Previous message: Erik Ljungström: "Re: version"
• In reply to: Jared H.: "Feedback solicited - best way to harden a mail/web server?"
• Next in thread: Jared: "Re: Feedback solicited - best way to harden a mail/web server?"
• Reply: Jared: "Re: Feedback solicited - best way to harden a mail/web server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]