On Tue, May 29, 2001 at 01:54:05AM +0530, Rajkumar S. wrote: > > I have been thinking about this for some time. I was not exactly > interested in having a firewall, but to have a system that can be used to > host a web, ftp, dns, mail servers. This will also include a firewall and > an IDS (snort). Some of the design points that I had was > > * Mounting as many partitions RO, including /etc, /usr etc.. and thus > * Having two modes of boot, > maintenance mode - which lets you edit the files > production mode - which is used for actual run > * Setting Append only attribute for /var/log > * Having ssh xinetd syslog-ng etc configured instead of insecure > alternatives > * Fully locking down the ports > * Configured firewall and snort by default > * Automatic log analysis and reporting on a secure web page. (so that any > one with the username and password can look at the summary and details of > the logs by visiting a page on the machine) > * Removal (non installation) of all but very essential programs. > * Use of encrypted protocols instead of plain text ones ie the daemons > used should use encryption if the clients support them > > > Some these may not be feasible and even absurd. > > But I want to mount bare minimum of file systems RW. The /var/log can be > made append only so that the logs can be appended only. The distribution > should have only minimum of utilities that are required for the work in > hand. The box is designed to work with minimal intervention. > > What I am planning is to hack the debian installation script to make > package selections which satisfy these requirement, and then to have a > hardening script like bastille linux. > > I would love to hear what you have to say about this. > > with warm regards, > > raj
I think it would be a great idea. I have been looking for a Debian based secure by default distribution. It would be great to have a script that would allow many options so that the user could choose a very secure install with no services, if it is a firewall only box. And to have the ability to install more services on it if one needs to run web servers, DNS etc. I know it is more risky to run services on a firewall but, if you or a home user or a small business and cannot afford to run dedicated servers it would be nice to know it could be secure as possible. I have checked into http://www.gibraltar but it looks like they are going to sale a commercial version that has a web based interface. I am looking for a totally open source version that uses open source tools so that I don't get locked into a proprietary version. Just some of my random thoughts, Kirk Schroeder
