As far as "Total System Security" goes, I like trinityOS. It has a lot of
great uses. As far as securing an existing Linux box, I am partial to
Bastille-Linux (http://www.bastille-linux.org). It's a series of hardening
scripts that secure a system based on your responces to a series of questions.
Among other things, it will also create a packet filter script for you ( with
some decent comments).
FYI,
Kenny
[EMAIL PROTECTED] wrote:
>
> My Favorite ipchains script is the one located within the Trinity OS
> Document. It is fairly secure, and heavily commented so that it is easy
> to see how each rule contributes to the operation of the firewall.
>
> http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
>
> >"Kenneth E. Lussier" wrote:
> >
> > Greg Kettmann wrote:
> > [...snip...}
> > > Another truly excellent site is
> > > http://linux-firewall-tools.com/ by Bob Ziegler. He literally wrote the book on
> > > Linux Firewalls. His site has links to the relevant HOW-TO's plus his own
> > > instructions. It also contains a tool to generate the IPCHAINS or IPFWADM
>scripts
> > > needed to start the firewall. There are other excellent sites and resources, as
> > > well, but I like this one. GGK
> > >
> >
> > I could not disagree with this more. Rob Ziegler *DID* write a book, and you
> > may in fact like his utility. Other than that, I take issue with everything
> > else that you said. His book is BAD. It is 100% RedHat-scentric, which is
> > problem #1. Given that I was totally annoyed with what I DID read of the book
> > and never finished it, I won't comment any further on it. OK, I lied.... It
> > also doesn't deal with anything related to encryption. How can you talk about
> > firewalls and security and neglect to
> > mention encryption?!?
> >
> > Now, on to his tool..... Sure, it works...Sort of. What it creates is a
> > completely bloated script with about 1000 rules that you don't need. Also,
> > when you have a default policy of DENY, you do not have to then go ahead and
> > specifically deny everything (including subnets that cannot be routed to begin
> > with). By putting this much garbage into an ipchains script, you increase the
> > chances of making a hole where there shouldn't be. Also, his instructions are
> > horrable. You are better off reading the actual Firewall-HOWTO. Not to mention
> > the fact that he completely ignores the fact that you may have to patch your
> > kernel in order to do certain things.
> >
> > All in all, I find his tools, his writing, and his claims of expertise to
>be
> > insufficient, inadequate, and detrimental to network security. The argument
> > that I hear the most in his defence is "Well, it's good for beginners". My
> > answer to that is "*NO IT CERTAINLY IS NOT!!!*. It is NEVER good for a beginer
> > to learn the wrong way to do things, and it is never good for a beginner to
> > think that the wrong, inadequate, and insecure ways of one person are the
> > correct ways. That beginner then has a false sence of knowledge, and thay
> > begin to rely on these things rather than ever learn the correct ways. Not to
> > mention, when they come to the realization that what they know isn't good
> > enough, they have to start all over from the beginning. So, in reality, it is
> > *NOT* good for beginners.
> >
> > Just my NSHO,
> > Kenny
> >
> > --
> > Kenny Lussier
> > Systems Administrator
> > Mission Critical Linux
> > ******************************
> > If at first you don't succeed,
> > destroy all evidence that you
> > tried
> > ******************************
> >
> > **********************************************************
> > To unsubscribe from this list, send mail to
> > [EMAIL PROTECTED] with the following text in the
> > *body* (*not* the subject line) of the letter:
> > unsubscribe gnhlug
> > **********************************************************
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
--
Kenny Lussier
Systems Administrator
Mission Critical Linux
******************************
If at first you don't succeed,
destroy all evidence that you
tried
******************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
