Re: security setup without firewall?
- From: Michael Heiming <michael+USENET@xxxxxxxxxxxxxx>
- Date: Sat, 9 Dec 2006 10:58:45 +0100
In comp.os.linux.security Tom Forsmo <spam@xxxxxxxxxx>:
hi
I have been hearing from different sources that a truly good security
setup does not require a firewall. Of course that depends on the
situation for the system. but if one considers a single home computer,
is it plausible to have basic security without a firewall?
Sure, you don't need a firewall at all, if you know what you are
doing. Since you ask, it is obvious you don't have the requiered
skills to do so until now.
The reason I am asking is that I am looking for the simplest way to
centrally control which ports are open and for which adresses. The
problem is that most firewall systems on linux are pretty complex, e.g.
shorewall, and that makes it difficult to make it work properly.
No they aren't, it is just you didn't spend the required time to
dig deeper into it. Using one or another helper app to setup
iptables will not teach you much if anything.
There are quite a few great iptables howto (www.tldp.org), which
explain in detail how packets traverse the Linux built in
firewall. If you get this basics it isn't that difficult anymore.
I was initially thinking that setting hosts.deny/allow would cover a lot
of ground. When I tested it, by setting deny: ALL:ALL, I found that
SSH was affected but http was not. I also found that nmap finds all the
Just because your sshd was likely per distro package compiled
with support for tcp_wrappers. Apache isn't usually, since mostly
the purpose of some http server is to let people view stuff and
apache has its own layers of access control which are iirc finer
graded then the additional access control sshd has built in.
Apart from the huge security difference from shell access to http
access.
ports open. Yhis suggest to me that if I dont use a firewall I have to
separately configure all the different services to make a basic security
config.
So the question is, is there a single file such as allow\deny that can
be used to control visibility of ports and access in an easy way, or is
a firewall the only real option for this (which mean that I would have
to throw out shorewall and just use iptables directly)
Dunno why you are scared about the visibility of ports? If you
don't run anything on them, there is no problem.
In short security is like an onion, the more layers you have the
better, if one should fail, usually due to misconfiguration you
still have more protecting you.
The easiest especially looking at sshd, is to deny direct root
logins at first. Probably one reason people get cracked, sshd
running open to the internet with direct root logins enabled. Any
attacker doesn't have to guess a user name but can just go on
trying to login as root with some dictionary attack tool. Now if
your root password is trivial you have already lost your machine.
Good luck
--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@xxxxxxxxxx | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 191: Just type 'mv \* /dev/null'.
.
- Follow-Ups:
- Re: security setup without firewall?
- From: Tom Forsmo
- Re: security setup without firewall?
- References:
- security setup without firewall?
- From: Tom Forsmo
- security setup without firewall?
- Prev by Date: Re: security setup without firewall?
- Next by Date: Re: security setup without firewall?
- Previous by thread: Re: security setup without firewall?
- Next by thread: Re: security setup without firewall?
- Index(es):
Relevant Pages
|
|
