At 02:44 PM 5/24/2000 -0400, Kenneth E. Lussier wrote:
hrm..looking for a HARD OS? i like openBSD - so far is the most secure by
far...not one root exploit found in it for 3 years. much like most other
'nix's it worth look into if you want something secure.
www.openbsd.org
~kurth
>As far as "Total System Security" goes, I like trinityOS. It has a lot of
>great uses. As far as securing an existing Linux box, I am partial to
>Bastille-Linux (http://www.bastille-linux.org). It's a series of hardening
>scripts that secure a system based on your responces to a series of questions.
>Among other things, it will also create a packet filter script for you ( with
>some decent comments).
>FYI,
>Kenny
>
>[EMAIL PROTECTED] wrote:
> >
> > My Favorite ipchains script is the one located within the Trinity OS
> > Document. It is fairly secure, and heavily commented so that it is easy
> > to see how each rule contributes to the operation of the firewall.
> >
> > http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
> >
> > >"Kenneth E. Lussier" wrote:
> > >
> > > Greg Kettmann wrote:
> > > [...snip...}
> > > > Another truly excellent site is
> > > > http://linux-firewall-tools.com/ by Bob Ziegler. He literally
> wrote the book on
> > > > Linux Firewalls. His site has links to the relevant HOW-TO's plus
> his own
> > > > instructions. It also contains a tool to generate the IPCHAINS or
> IPFWADM scripts
> > > > needed to start the firewall. There are other excellent sites and
> resources, as
> > > > well, but I like this one. GGK
> > > >
> > >
> > > I could not disagree with this more. Rob Ziegler *DID* write a book,
> and you
> > > may in fact like his utility. Other than that, I take issue with
> everything
> > > else that you said. His book is BAD. It is 100% RedHat-scentric, which is
> > > problem #1. Given that I was totally annoyed with what I DID read of
> the book
> > > and never finished it, I won't comment any further on it. OK, I
> lied.... It
> > > also doesn't deal with anything related to encryption. How can you
> talk about
> > > firewalls and security and neglect to
> > > mention encryption?!?
> > >
> > > Now, on to his tool..... Sure, it works...Sort of. What it
> creates is a
> > > completely bloated script with about 1000 rules that you don't need.
> Also,
> > > when you have a default policy of DENY, you do not have to then go
> ahead and
> > > specifically deny everything (including subnets that cannot be routed
> to begin
> > > with). By putting this much garbage into an ipchains script, you
> increase the
> > > chances of making a hole where there shouldn't be. Also, his
> instructions are
> > > horrable. You are better off reading the actual Firewall-HOWTO. Not
> to mention
> > > the fact that he completely ignores the fact that you may have to
> patch your
> > > kernel in order to do certain things.
> > >
> > > All in all, I find his tools, his writing, and his claims of
> expertise to be
> > > insufficient, inadequate, and detrimental to network security. The
> argument
> > > that I hear the most in his defence is "Well, it's good for
> beginners". My
> > > answer to that is "*NO IT CERTAINLY IS NOT!!!*. It is NEVER good for
> a beginer
> > > to learn the wrong way to do things, and it is never good for a
> beginner to
> > > think that the wrong, inadequate, and insecure ways of one person are the
> > > correct ways. That beginner then has a false sence of knowledge, and thay
> > > begin to rely on these things rather than ever learn the correct
> ways. Not to
> > > mention, when they come to the realization that what they know isn't good
> > > enough, they have to start all over from the beginning. So, in
> reality, it is
> > > *NOT* good for beginners.
> > >
> > > Just my NSHO,
> > > Kenny
> > >
> > > --
> > > Kenny Lussier
> > > Systems Administrator
> > > Mission Critical Linux
> > > ******************************
> > > If at first you don't succeed,
> > > destroy all evidence that you
> > > tried
> > > ******************************
> > >
> > > **********************************************************
> > > To unsubscribe from this list, send mail to
> > > [EMAIL PROTECTED] with the following text in the
> > > *body* (*not* the subject line) of the letter:
> > > unsubscribe gnhlug
> > > **********************************************************
> >
> > **********************************************************
> > To unsubscribe from this list, send mail to
> > [EMAIL PROTECTED] with the following text in the
> > *body* (*not* the subject line) of the letter:
> > unsubscribe gnhlug
> > **********************************************************
>
>--
>Kenny Lussier
>Systems Administrator
>Mission Critical Linux
>******************************
>If at first you don't succeed,
>destroy all evidence that you
>tried
>******************************
>
>**********************************************************
>To unsubscribe from this list, send mail to
>[EMAIL PROTECTED] with the following text in the
>*body* (*not* the subject line) of the letter:
>unsubscribe gnhlug
>**********************************************************
Kurth Bemis - Senior Linux Network/Systems Administrator, USAExpress.net
[EMAIL PROTECTED]
http://www.usaexpress.net/kurth
ICQ - 6624050
Call Sign - N1TYW
PGP key available - http://www.usaexpress.net/kurth/pgp
Fight Weak Encryption! Donate your wasted CPU cycles to Distributed.net
(http://www.distributed.net)
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
