Re: Feedback solicited - best way to harden a mail/web server?
From: Jared (jared@hwai.com)
Date: 12/27/02
- Next message: Erik Ljungström: "Re: cryptoapi"
- Previous message: Jared: "Re: Feedback solicited - best way to harden a mail/web server?"
- In reply to: /dev/rob0: "Re: Feedback solicited - best way to harden a mail/web server?"
- Next in thread: Don: "Re: Feedback solicited - best way to harden a mail/web server?"
- Reply:(deleted message) Don: "Re: Feedback solicited - best way to harden a mail/web server?"
- Reply: Alan Frame: "Re: Feedback solicited - best way to harden a mail/web server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: jared@hwai.com (Jared) Date: 27 Dec 2002 08:30:05 -0800
/dev/rob0 <rob0@gmx.co.uk> wrote in message news:<slrnb0njqc.66d.rob0@linuxbox.stpaultel.com>...
> I think a dedicated firewall machine is a good idea. I don't think a DMZ
> is that important for a typical home network. You can make a virtual DMZ
> in numerous ways, such as by creative subnetting (put the DMZ machine on
> 192.168.0.129 and the protected machines on .2-.126 with 25-bit netmasks
> and the firewall at .1 with a 24-bit netmask; make sure the protected
> machines have no route to the DMZ.)
Hmm, that's an intelligent scheme, and would force everything through
the firewall. What a good idea. Thanks!
> So restrict what can be done from the firewall machine. Run firewalls on
> the inside machines if you're that worried about it.
Not sure what you mean by the first sentence. The firewall has to
route, has to run bind and iptables at least; but that is true of my
current fw/gty machine, which some script kiddie managed to get a
trojan on anyway.
> Assuming? Didn't you find out where the breakin occurred? I'd want to
> know, if I were you.
I do, but I didn't know about Tripwire. Binary dates all appear OK.
If it wasn't for upgrading chkrootkit I wouldn't know about it at all.
Next time...
> Only you can decide the value. It's hard for me to imagine how/why a
> home system is such a target as yours has been. Sure, there are script
> kiddies out there scanning for known exploits, but if you keep up on
> your security updates they shouldn't find any of those.
I have to think it was a scripter playing at it - I keep no sensitive
information (personal or professional) on my machines (bank account
numbers, credit cards, social security numbers and the like). My
concern is that people will start doing this to facilitate identity
theft (though perhaps due diligence in checking employee history by
credit reporting companies would be more effective).
Guess I'll start looking at the secure distros...
Thank you for responding, and for your subnetting scheme.
Kind regards,
jh
- Next message: Erik Ljungström: "Re: cryptoapi"
- Previous message: Jared: "Re: Feedback solicited - best way to harden a mail/web server?"
- In reply to: /dev/rob0: "Re: Feedback solicited - best way to harden a mail/web server?"
- Next in thread: Don: "Re: Feedback solicited - best way to harden a mail/web server?"
- Reply:(deleted message) Don: "Re: Feedback solicited - best way to harden a mail/web server?"
- Reply: Alan Frame: "Re: Feedback solicited - best way to harden a mail/web server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
