Re: kernel security?
On Sun, December 6 1998, John Gonzalez/netMDC admin <ekool@ns1.netmdc.com> wrot
e:
|
|it will probably be best to convince this ISP to set up his routers
|properly. Among many filters he should have, make SURE has has at least
|these few:
|
|Do not accept packets from OUTSIDE his network DESINTED to HIS network
|with HIS network range. Ie. Nothing should be coming in to his network on
|his wan link, from within his network.
|
|Dont allow any packets OUT the network unless it is addressed from WITHIN
|his network.
|
|You can also block certain ranges, that should not be in use. 10.* 192.*,
|others.
I'd also add broadcast (global and network-specific) with both
all-ones and all-zeros to that list.
Consider blocking all UDP packets except to/from port 53 of the name
server. Same with TCP except for the relevant services on the
relevant machines.
If applicable, consider having a SonicWall or maybe one of the
Linux-based firewalls I think I've seen floating by on
Freshmeat/Linuxtoday - their main advantage as I see it is that they
have statefull filtering.
Make sure the routers on the way (as far as they under your control)
have non-obvious SNMP communities/telnet password (or disable SNMP
altogether if you don't need it).
Make sure you absolutly need every package installed on your machine
(e.g. I didn't install junkbuster because I didn't have any use for it
- later it was found to contain a security hole - got the idea?)
Another extra step - in addition to the router filtering, install a
2.0.36 kernel with the ipchains patch (and the secure-linux patches?)
and add the same filters.
Cheers,
--Amos
--Amos Shapira | "Of course Australia was marked for
133 Shlomo Ben-Yosef st. | glory, for its people had been chosen
Jerusalem 93 805 | by the finest judges in England."
ISRAEL amos@gezernet.co.il | -- Anonymous
Reply to: