security

J.A. Neitzel jan.listbox at belvento.org
Sun Oct 7 13:43:05 PDT 2001


Tom Panning wrote:
>> I don't know if I agree completely about the firewall thing... But,
>> this is mostly because I don't know much about them.

Hi, this here statement   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^   is probably
the biggest thing =)

> My LFS box is serving as an IP-Masq box, so I had a bit more interest in
> running a firewall on it. In the process of figuring out how to set up the
> firewall, I found many interesting tidbits on why this can make a
> difference, even if your box isn't doing IP-Masq.

Ayup? Don't get me wrong at all... I'm not averse (sp?) to firewalls
at all. It's just because I don't already know a lot about them...
Now, I'm gonna start learning because of the definite advantages. Of
course, then all of my previous security knowledge/opinions will be
modified to incorporate the new things I learn... Yay! =)

I actually have read some of the masq and firewall stuff before. I
have simply never *really* had time to sit down and say, "Ok, I'm
gonna do this now!". Time time time, if only there was more of it.

> (Note: all of the info about what script kiddies do and don't do is based
> off what I have read, I've never actually met or been someone who gained
> unauthorized access to a machine, so everything I say here is third-hand
> info)

Third-hand info/knowledge is quite important.

> 1) Every raw LFS box with networking responds to ping requests by default.
> Script kiddies used to use ping to find running computers. From what I
> understand, they can discern the basic OS-type that you're running from the
> ping response.

Except for mine... ;)
This is one of the first things I do when I bring up a new system.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

This, and other similar measures, can work wonders...

> Basically, the idea is to make your box disappear from the network as much
> as possible. After all, if they don't know you exist, how can they crack
> you? :-)

Agreed

> For working with iptables, read:
> http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.ht
> ml

I think that's in my bookmarks already. wait, /me looks now.
Nope, not there. Added to bookmarks and list of things to read.
Thanks

<snip all_the_other_interesting_stuff />

> P.S. Don't be intimidated by the firewalling stuff, it doesn't have to be
> very complicated, particularly with iptables. If you run into a problem
> setting up iptables, I'll be happy to help.

Right right, I understand that... It's not intimidation. It's time.
Thanks for the offer though. I might have question sometime soon.
-- 
Cheers,
Jeff

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list