--On Friday, April 18, 2008 09:15:41 -0700 Kurt Buff <[EMAIL PROTECTED]>
wrote:
Not to detour this conversation too much, I hope, but I'm in a
different situation, and this is going to be an issue for me. I'm
putting together a box that's going to be a router for our company,
using BGP to give access to our T1 and frac DS3. That's all it should
be doing, it will have no other services. It'll be in our server room,
though, so I won't have to get at it from anywhere, except perhaps
home, and even that could be avoided by simply traveling the 10 miles
to work.
So, I'm wondering how to lock it down - I'm even contemplating
eliminating any MTA and sshd, and just running the routing daemon, but
sshd is just so useful that it's hard to do without, and eliminating
the MTA denies me the goodness of the periodic reports.
Just have the MTA listen on localhost or on a unix socket. It can still send
the reports that way but can't be attacked from outside (excepting the limited
case that Matthew referred to.)
'Casting
syslog to my internal syslog host is also problematic, but possible, I
suppose.
Well, you *should* be remote syslogging any critical machines like that, but
that doesn't mean the host itself has to listen for incoming syslog messages.
WRT SSH, if it's a real concern, only allow access from your internal network.
Then use a publicly accessible machine to tunnel through to it. (But lock it
down as well. Attackers can come from the inside of your network just as
easily as they can from outside.)
Then there's the problem of managing and monitoring the thing
once it's installed. Being able to use mrtg/cacti/something to query
SNMP would be extraordinarily useful, as we will be paying extra for
bandwidth above our fractional rate on the DS3, and also to monitor
the health of the box.
If you're wanting to do this from "foreign" networks (not your own), then set
up ssl and logins (.htaccess or httpd.conf, local or ldap, pam, whatever your
have available) for the web interface.
--
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
