Re: [TCLUG:12831] Issues raised today

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:12831] Issues raised today
From: ^chewie <chewie@wookimus.net>
Date: Tue, 25 Jan 2000 11:39:46 -0800
In-Reply-To: <Pine.GSO.4.21.0001251221460.12629-100000@sashimi.ccbr.umn.edu>; from robertl@ccbr.umn.edu on Tue, Jan 25, 2000 at 12:24:18PM -0600
References: <20000124153614.F27045@ravendusk.org> <Pine.GSO.4.21.0001251221460.12629-100000@sashimi.ccbr.umn.edu>
User-Agent: Mutt/1.0i

On Tue, Jan 25, 2000 at 12:24:18PM -0600, Robert Leduc wrote:
> 
> 
> I agree.  This might be off the topic, so forgive me.  I am in
> the class of novice user; I am running Linux on my box at home
> because I despise Windows.  The box is used only by myself,
> however, I would like to use the Linux system to connect via PPP
> to the U of M and would wonder about security issues I might
> face.
> 
> This is obviously much easier than those of you who have to run
> servers for others, etc.

UMN, eh?  Well, depends upon how much you trust UMN students to keep their
noses out of other people's computers...fat chance. ;-)  Some of the best
hacking is done from University networks. *grin*  Your security issues
would be fewer in Linux than Windows for the simple fact that you can
control access much easier, and you have a way to monitor that access.  In
Windoze, you are placing your faith in people you don't know when you
connect to the 'net, whatever net that may be.

What I recommend...

Network Available Services ("Fewer is better...")
* ssh - A secure shell program that provides a secure telnet session, a
     secure version of rcp, and a secure version of rsh.  IOW, you do
     not need or want telnet or ftp if you can help it.  Just make sure
     UMN has OpenSSH installed.  (type `which ssh` at your prompt while on
     the UMN computers)
* ..ab..abb.abb..that's all folks

Configure your hosts.allow and hosts.deny to look something like this:
# Hosts allow
all: LOCAL
ssh: ALL

# Hosts deny
all:PARANOID

And of course, only allow those ports into your firewall that you
absolutely need:

INET_IF=eth0
INET_IP=your.umd.ip.addr
INET_NET=your.umd.net.seg/mask
GATEWAY=your.umd.gateway.addr
IPCHAINS=/usr/sbin/ipchains

# Accept everything, we'll deny and log later
${IPCHAINS} -P input -j ACCEPT
${IPCHAINS} -P output -j ACCEPT
${IPCHAINS} -P forward -j ACCEPT

# Input chain, basic stand-alone computer
${IPCHAINS} -A input -i lo -s 127.0.0.1 -j ACCEPT
${IPCHAINS} -A input -i lo -s ${INET_IP} -j ACCEPT
${IPCHAINS} -A input -i ! ${INET_IF} -s 0/0 -d ${INET_IP} -j DENY -l
${IPCHAINS} -A input -i ${INET_IF} -d ${INET_IP} ssh -j ACCEPT
${IPCHAINS} -A input -i ${INET_IF} -j DENY -l

# Don't allow any forwarding...you've only got one interface anyway
${IPCHAINS} -A forward -j DENY -l

# Only allow output from lo and eth0 that originate from those addresses
${IPCHAINS} -A output -i lo -s 127.0.0.1 -j ACCEPT
${IPCHAINS} -A output -i lo -s ${INET_IP} -j ACCEPT
${IPCHAINS} -A output -i eth0 -s ${INET_IP} -j ACCEPT
${IPCHAINS} -A output -i ${INET_IF} -j DENY -l


# Note, however, that I think the lo entries for the INET_IP are
# unnecessary and fundamentally wrong.  I may have screwed up in my
# routing table by adding host entries for those particular IP addresses.
# Perhaps I won't have those problems if I take those entries out.
-- 
Chad Walstrom                         mailto:chewie@wookimus.net 
a.k.a ^chewie, gunnarr               http://wookimus.net/~chewie

PGP signature

References:
- Re: [TCLUG:12831] Issues raised today
  - From: "John R. Sheets" <dusk@ravendusk.org>
- Re: [TCLUG:12831] Issues raised today
  - From: Robert Leduc <robertl@ccbr.umn.edu>

Prev by Date: Re: [TCLUG:12874] VPN (was Re: [TCLUG:12807] bad day (more details))
Next by Date: GNOME
Prev by thread: Re: [TCLUG:12831] Issues raised today
Next by thread: Re: [TCLUG:12831] Issues raised today
Index(es):
- Date
- Thread