TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:11577] Security Concerns:



> remote syslog host - if they get in and rm your logs, you can still
> screw them!

Try outputting all logging to a serial port, with an old DOS 386 or
something dumping it all to disk. Or to be really paranoid dump it
direct to hardcopy... Or both... :)

> I've also heard some concerns about using the built-in firewalling on
> Linux.  I've seen a few things in bugtraq (maybe not linux, maybe BSD)
> about firewall's not always catching all the packets.  There can be
> times when the firewall rules haven't initialized and the machine is
> vulnerable.  There have also been reports about certain rules not
> working, or allowing the wrong packets (as I remember, a TCP payload
> greater than a certain size could get through?).

1) Set up your firewall script to not turn on forwarding until its all
set up. Make sure you're distribution isn't messing with it before you
do. Know your distribution of choice's rc scripts. :)

My redhat rc.local, hmm, kinda old...
http://www.404error.com/seg/stuff/rc.local.txt
Note the 'echo "1" > /proc/sys/net/ipv4/ip_forward' at the end*...

2) Always have 'always defragment' enabled when compiling a kernel. This
is an obvious place for packets to sneak by. Starting with 2.2 or so, it
won't even let you enable any forwarding/firewalling unless always
defragment is on...

3) Know what you're doing. I'm hoping I do. :)

> If you're connecting through a router I'd definately consider using any
> firewalling software available on the router IN ADDITION to ipfwadm on
> Linux.  Just to be safe.  Only if you're paranoid.

Remember what you're paid for. ;)