Regarding e-smith security;
I have had an e-smith box up and running for about 1/2 a year with NOTHING
other than what is installed and configured by default. On a cable modem.
Uptime: 153 days. Breakins: 0 Attempted Breakins: many
So in my situation e-smith is secure be default. Of course that is
assuming one has half a clue. For example obviously if one were to allow
remote telnet access, and then on a regular basis telnet in (as root)
using your root/admin password, you are just asking for trouble. But
e-smith clearly warns the user regarding this.
Of course today now that I have some time, I have taken extra steps in
securing the box. Not that it isn't secure by default. But a good set of
firewall rules never hurt. I'm working now on an add-on rpm for some
firewall rules.
Here is my feeling (and obviously the person on linuxtoday was a troll):
E-smith out of the box is secure. Not watertight. But secure. Thing is
though, no system is waterproof. However for the average user who will
never login to their system through anything other than e-smith-manager or
the console menu, it is secure enough. Of course way more secure than a
virgin linux box or a windows machine.
For those interested in tightening and tweaking I would recomend
installing or at least considering the following:
Portsentry - This isa nice piece of software from www.psionic.com. The
idea is that when someone starts a portscan on you, portsentry detects
this and jumps in - in my case it denies the host through tcp_wrapper in
hosts.deny, as well as DENYing all packets through a chain rule. Very nice
to keep those script kiddies at bay, for after they nmap or whatever
you, they are denied all fruther access to the machine.
Logcheck - Another usefull tool. This will run on a regular basis (through
a cronjob) and checks your logs for any strange or dangerous messages. You
can configure what is reported and what is not through an easy to edit
file of keywords. http://www.psionic.com
SSHD - Plan on doing anything remotely? don't bother with telnet unless
you want to get broken into.
A good set of firewall rules. A good idea is to DENY everytihng and
only ACCEPT what you want.
Additionally I've setup an even older 486 internally with a 500 meg hard
drive. It has ipchains in place and blocks EVERYTHING except the
firewall's logging port. I have configured e-smith to send all it's log
message to this machine as well as /var/log. That way in the situation of
a breakin, where normally a quick rm -rf /var/log would take care of most
of the evil_hacker's footsteps (and cause some damage as well). Even if
they delete the logs from the e-smith machine they will still be nice and
safe on the internal log machine. To be totally safe yoou shouldn't even
allow telnet or ssh into this machine. Additionally, it is possible to
compile syslogd to look somewhere else that /etc/syslogd.conf for it's
conf file. By setting the conf file somewhere where you would not normally
expect to find it, and leaving the one in /etc intact it fools even more,
and won't alert anyone to the fact that you have external logging
occuring.
After going through all of these measures, I've seen the number of probes
lessen on the machine. Not as many portscans (maybe that's because
portsentry added quite a few blocks) etc. Kinda makes me nervous on a day
when NOTHING happens. Makes ya wonder...
Well I won't bore anyone further
on the list - if you have any questions about this feel free to ask.
The point was, e-smith is pretty damn secure out-of-the-box. of course
you can always do more. But isn't that always the case?
I am however curious, why did e-smith choose linux, over say, openbsd
or another bsd? Those systems are considered (especially open I believe)
to be rock-sold out of the box.
Cheers,
Steve
On Tue, 22 Aug 2000, Gordon Rowell wrote:
> On Tue, 22 Aug 2000, Michael Doerner wrote:
>
> > "...announced it is being honored with the editor's choice award from
> > Australian Personal Computer Magazine..."
> >
> > Congratulations, I just read this on Linux Today.
>
> Yes - we're pretty thrilled about this one.
>
> > One guy is raising "SECURITY??" under Talkbacks and I thought members here
> > on this list who are obviously knowledgeable, might want to jump in there?
>
> I am doing so at the moment. Easy to use does not imply "full of holes" -
> we believe e-smith is "easy to use" but I don't see any justification for
> the implication that it is "full of holes". We wouldn't be releasing it if
> this were the case.
>
> > I can't, since I am only playing with e-smith at this stage.
>
> Best wishes - I hope you enjoy it.
>
> Gordon
> --
> Gordon Rowell [EMAIL PROTECTED]
> http://www.e-smith.org (development) http://www.e-smith.com (corporate)
> Phone: +1 (613) 564 8000 ext. 4378 Fax: +1 (613) 564 7739
> e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada
>
>
> --
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
