On Monday 20 October 2003 07:30 am, Michael Holt wrote: > Yeah, that makes sense. I was reading different posts on HOW to > allow things though, and trying to find which way would stick > which was confusing. I put ŽAll: AllŽ in my allow file just so I > can make it work and I found a sample allow file on the web that > IŽm going to play with when I get home from work today. Since > youŽre running a web server, would you mind posting a copy of > yours? (/etc/hosts.allow file, that is).
I wouldn't really mind but I don't think that it would do you any good. I do run a separate web server and since it is a public facing server, it would bear the brunt of most potential attacks, therefore, I purposefully keep it fairly locked down. I only allow SSH from within the local network, not from remote sites, and I purposefully limit the services run on it to known services. You have a more general purpose setup, so would have to open up more stuff. If you are not running a hardware router, I would highly suggest that you get one. Also, there are several security packages available that you should consider installing, portsentry, tripwire, logcheck, snort and perhaps even nessus to scan your own machine for possible exploits. If you have a hardware router, most of these should show up as negative unless you are actively running services. My current hosts.allow file might have something like the following: sshd: 192.168.0.? :ALLOW pureftpd: 192.168.0.? :ALLOW And that would be it. Other traffic is denied by default so any type of telnet or other connection would be dropped. Couple that with the firewall software and about the only traffic that can get through from outside is web traffic. > IŽve got kind of an Žall-in-oneŽ type of server - I donŽt really > have the resources to split things up. IŽm running apache, > webmail (postfix, squirrelmail, etc), samba, ftp, ssh, blah; just > pretty much everything - on the same box. It would be nice to > setup a firewall (other than port fowarding on my router), get > msec all hardened up, and make everything all secure - but I think > I have too many things going to do that. Anyway, all suggestions > excepted :) Unfortunately, you don't have much of a choice, with all of those services opened up, there is no substitute for a good firewall/hardware router and at minimum, several other security tools including, IMO, Snort (Intrusion detection), tripwire (checksum on files and changes), portsentry (detects and disables port scans), chkrootkit (checks for root kits), and logcheck (checks for modifications to the log file). Other suggestions, don't allow anonymous ftp access (that makes your server a target for script kiddies/warez kiddies), use RSA key encoding for SSH which provides an additional layer of security, Disallow Samba from external access with the firewall (I don't trust anything even if not MS but built to mimic MS stuff), and I would suggest tunneling the postfix and squirrelmail through SSH and disallowing those ports externally so that you get encryption and extra layers of security on the mail server. -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com