security

Dave Anselmi anselmi at americanisp.net
Tue Oct 9 12:30:19 PDT 2001


Fergus Belford wrote:

> Despite this seeming unconcern, I would like to hear the opinions of
> others on what level of security I should reasonably implement.  Bear in
> mind, this PC is a home jobby, nothing of importance is stored on it -
> well nothing that can't be built or typed or downloaded again.

I would suggest that if you have no ports listening, you are pretty safe.
Ports you are using for outbound traffic might be vulnerable, but very
unlikely, and a firewall isn't going to help in most cases.  Here are 2
reasons you might want to run iptables (on top of the educational
experience):

1) Use it to log what goes on with your dial-up connection.  That way you
can see what is happening and judge better how visible you are to the
outside.  Something called portsentry may be helpful for this too.

2) Set up the basic 'deny everything except outgoing connections' so that if
you happen to open a port (by mistake, most likely) you won't become
vulnerable.  As pointed out, don't let this give you a false sense of
security - test it out as much as you can, and keep logging to help you find
any unwanted openings.  You might also deny (or at least log) outgoing
connections that are not to places you don't go (perhaps all traffic
initially).  That will help you understand what your actual usage is which
will help you understand abnormalities if they occur.

Of course reviewing logs to see what is happening is good for your
education, but will depend on how interested you are in getting educated.
If you don't have the time or interest, I can't blame you for that.

An anecdote: I once worked at a large organization that was *extremely*
paranoid.  One afternoon the intrusion detction alarms went off "Oh my gosh
we're under attack!", "Launch the ready 5 aircraft!", "All hands to
battlestations!".  After large numbers of people had dropped what they were
doing and briefings were made at the highest levels, it was discovered that
an admin had misconfigured an NFS server.  The fact is though, that by
having alarms in place everyone learned something.  If that had not been the
case, the server might still be sending out bogus packets with no one the
wiser.  I know of some ISPs here that are doing that routinely - they are
notified of the problem by Linux users that are watching them more closely
than they do themselves.  Sometimes they even fix the problem.

Thanks for listening to my ramblings.

Dave


-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list