TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:12831] Issues raised today
On Tue, Jan 25, 2000 at 12:24:18PM -0600, Robert Leduc wrote:
>
>
> I agree. This might be off the topic, so forgive me. I am in
> the class of novice user; I am running Linux on my box at home
> because I despise Windows. The box is used only by myself,
> however, I would like to use the Linux system to connect via PPP
> to the U of M and would wonder about security issues I might
> face.
>
> This is obviously much easier than those of you who have to run
> servers for others, etc.
UMN, eh? Well, depends upon how much you trust UMN students to keep their
noses out of other people's computers...fat chance. ;-) Some of the best
hacking is done from University networks. *grin* Your security issues
would be fewer in Linux than Windows for the simple fact that you can
control access much easier, and you have a way to monitor that access. In
Windoze, you are placing your faith in people you don't know when you
connect to the 'net, whatever net that may be.
What I recommend...
Network Available Services ("Fewer is better...")
* ssh - A secure shell program that provides a secure telnet session, a
secure version of rcp, and a secure version of rsh. IOW, you do
not need or want telnet or ftp if you can help it. Just make sure
UMN has OpenSSH installed. (type `which ssh` at your prompt while on
the UMN computers)
* ..ab..abb.abb..that's all folks
Configure your hosts.allow and hosts.deny to look something like this:
# Hosts allow
all: LOCAL
ssh: ALL
# Hosts deny
all:PARANOID
And of course, only allow those ports into your firewall that you
absolutely need:
INET_IF=eth0
INET_IP=your.umd.ip.addr
INET_NET=your.umd.net.seg/mask
GATEWAY=your.umd.gateway.addr
IPCHAINS=/usr/sbin/ipchains
# Accept everything, we'll deny and log later
${IPCHAINS} -P input -j ACCEPT
${IPCHAINS} -P output -j ACCEPT
${IPCHAINS} -P forward -j ACCEPT
# Input chain, basic stand-alone computer
${IPCHAINS} -A input -i lo -s 127.0.0.1 -j ACCEPT
${IPCHAINS} -A input -i lo -s ${INET_IP} -j ACCEPT
${IPCHAINS} -A input -i ! ${INET_IF} -s 0/0 -d ${INET_IP} -j DENY -l
${IPCHAINS} -A input -i ${INET_IF} -d ${INET_IP} ssh -j ACCEPT
${IPCHAINS} -A input -i ${INET_IF} -j DENY -l
# Don't allow any forwarding...you've only got one interface anyway
${IPCHAINS} -A forward -j DENY -l
# Only allow output from lo and eth0 that originate from those addresses
${IPCHAINS} -A output -i lo -s 127.0.0.1 -j ACCEPT
${IPCHAINS} -A output -i lo -s ${INET_IP} -j ACCEPT
${IPCHAINS} -A output -i eth0 -s ${INET_IP} -j ACCEPT
${IPCHAINS} -A output -i ${INET_IF} -j DENY -l
# Note, however, that I think the lo entries for the INET_IP are
# unnecessary and fundamentally wrong. I may have screwed up in my
# routing table by adding host entries for those particular IP addresses.
# Perhaps I won't have those problems if I take those entries out.
--
Chad Walstrom mailto:chewie@wookimus.net
a.k.a ^chewie, gunnarr http://wookimus.net/~chewie
PGP signature