Re: security in general
From: "Ingmar Schrey" <firstname.lastname@example.org>
Real system administrators are a bit paranoid I´m told...
...so that´s ok I think. ;)
hehe they *made* me paranoid!
Yeah I wanted to do that, but unfortunately I already had it connected for
like 24h or so. I could still do that, but I guess if I wanna do it right,
I'd have to reinstall the box.. Stupid me :(
- use things like tripwire (but that´s only 100% safe if you set it up
before the machine´s connected to the net the first time)
- switch to 2.4.x Kernel (use iptables instead of ipchains),
- replace inetd with a more secure service
I don't use inetd, it is disabled.
- chroot jails
I'll have to look into this, but
- use proxy servers instead of routing/masquerading over the firewall
When all internal clients are 100% trustworthy I should do this as well?
And: won't it up the requirements for the machine? I have a p166 laptop as
a server right now (let the power-outage come, I don't care for about 3
hours. Of course, I can't use the clients then so it's useless anyway, but
it protects data-integrity ;) And it's quite small and it hardly makes any
I actually do that sometimes :) When I see activity on the outgoing network
and there's no-one that activated it I sometimes pull the plug to make sure.
- pull the plug? :))
Every x minutes/hours it checks the logs for certain events and mails it to
the address of your choice (like firewall-hits).
Yeah I could switch off logging, but then I'd have 0 info on anything that
I donnow, somehow the info is useless, but not having it just doesn't sound
you could make ipchains log to a separate file instead of
...or you could switch off logging unwanted stuff in ipchains rules?
don´t know logcheck...
Nathan Valentine - email@example.com
I could try that, I'd have to look up some info on the program. I assume
nessus checks for known vulnerabilities? Sounds ok, never hurts.
As for snort in IDS mode, snort is like tripwire right? Hmm that means
someone is already inside the system and it's too late already..
Sounds like you've almost everything covered. About the only things I
could recommend would be to run nessus against yourself and install
snort in IDS mode.
Will have to read up on it tho :)
From: "Karl E. Jorgensen" <firstname.lastname@example.org>
kjfsgjks: You probably have a real name. Why not use it?
I dislike giving out real names, especially to hotmail etc.
I'm sorry for the total lack of any resemblance to a real (/fake) name, I
can see how that is irritating. I will change it after this mail.
Active and passive, so I need the high ports as well. Some programs can't be
set to passive ftp.
Are your users using passive mode FTP? If so, then you can block
off the high port numbers too.
Thanks to all who responded and took the time to read the mail. I'm still
open to suggestions and will definitely look into them!
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.