security

Steve Bougerolle steveb at creek-and-cowley.com
Sun Oct 7 14:54:11 PDT 2001



> I run a single box, an home PC, no networking other than connecting to
> the Internet via a modem. I have shadow password thingy installed (this
> OS is LFS3.0). Should I take further measures? 

Yes.  Lots of other people have pointed out things to check and you should
check all those.  Nobody has pointed out any measure of risk so far, so I
will - I get anywhere from 3 to 10 probes per day off Internet, from people
in places as far apart as India and the U.S., checking my system for open
ports.

Having said that, there's not a lot you really NEED to do.  The most
relevant files are hosts.allow and hosts.deny (in /etc, of course).  Set
them with reasonable defaults.  Portmap and TCP wrappers both use these
files, so they'll give you a pretty good basic level of security.  (X
listens over ports 6000-6010 IIRC, so that should even protect you there
although personally I'd rather be over-cautious and start X in no-listen
mode).  

After that it's mostly a question of not running things you don't need. 
Most of us have absolutely no reason to be running TELNETD, FTPD or such
things.  Even if (like me) you do, a quick read through the docs will tell
you which files to configure to limit access.  Use a bit of common sense,
too.  I've got a standard "file server" setup which runs NFS, SAMBA and
FTP.  None of those things requires INET/XINET (FTP can run standalone) so
I don't run XINET.  That means I don't need to worry about turning off that
huge list of mysterious entries in inetd.conf.

Ipchains looks pretty easy to set up and it looks like good stuff (it's
even a default part of the DSL PPPoE package I set up), but 

<begin nitpicking rant>

I don't use it anyway because I think an internal firewall is a
contradiction in terms.  If it's running on the same computer as your other
stuff it can be relatively easily compromised by a trojan.  I usually have
this argument in relation to Windows, where it seems clear to me that
companies pushing these "personal firewalls" are just trying to take
business advantage of various sorts of virus hysteria.  Not that the
programs themselves are bad things; they could be quite useful just to SEE
what's going on.  But as serious protection they don't rate at all in my
mind.  The chances there of you being invaded by a direct attack over
Internet seem pretty slim compared to the odds of being infected by some
sort of virus or trojan YOU install yourself.

In Linux the situation is a bit different but I think the logic still
applies.  We're not at much risk of viruses yet, and should never have the
same problems with trojans that Windows does - UNLESS a big enough pool of
people develop the stupid habit of reading their e-mail as root.  On the
other hand, we (LFS people especially) are all using software we've
downloaded from public sites which are hopelessly badly protected (not to
slam anyone, but I think that's a pretty safe assessment).  All it takes is
for ONE of those many many packages we try out to contain a bit of nasty
code to circumvent ipchains (or any other sort of firewall you're running)
and you'll get it - as long as you're trying to run your firewall on the
same computer.

<end nitpicking rant>

If you're worried about that level of stuff then you want to start getting
into tripwire, tiger, PGP Keys and all those wonderful things.  I'm not
worried about that yet, but I'll be honest enough to say I haven't really
checked to see if I SHOULD be that worried.  

Here's my /etc/hosts.allow file:

portmap: 192.168.0.1,192.168.0.2
lockd: 192.168.0.1,192.168.0.2
rquotad: 192.168.0.1,192.168.0.2
mountd: 192.168.0.1,192.168.0.2
statd: 192.168.0.1,192.168.0.2

and /etc/hosts.deny:

portmap:ALL
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL

My home network has three machines, so I just list the other two directly. 
If you're running on a bigger system then you need proper network
addressing.  The relevant man page is hosts_access(5).

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list