On Saturday 14 August 2004 11:00 am, BJ Tracy wrote: > SNIP > Hello All, > Question for the group. With Linux, do you need a firewall on every PC?? > In my office I have a LAN set up and with that I have a (hard wired) Router > going out to my DSL. I thought in this way I was protected. Also do I > need to install Virus Protection on my new Linux PC's ( I have been using > Linux going on 6 weeks now and trying to learn as much as possible). If > so, do I install DR. WEB that came with my MDK 10? > Please Advise.
There are very few virus threats for Linux, and IIRC, almost none in the wild. Obviously, if you install software provided from dubious sources, there is the possibility that you will install something that will be malicious. With Linux, it is much more important to eliminate unused services, limit network connectivity to those things that you need, practice good security by using non-trivial/obvious passwords, limiting user access and open accounts than to install anti-virus software. > > My thoughts: > I thought that since I switched to Linux and had a Router(hard wired) as a > firewall, I was protected from most of this. This totally depends on the type of router that you are using. If the router includes stateful packet inspection (SPI), then it is much more like a real router than if it simply performs Network Address Translation (NAT). Most inexpensive DSL routers are like the latter and only do NAT for the computers behind them. Those like the former are better because they help to thwart spoofed packets and may include some rudimentary DOS and attack protection. However, you should always consider security to be much like castle defense. You don't want to set up a single barrier and rely solely on that barrier to protect you. The reason is that once that barrier is breached, you are completely open. So, you want to layer your defenses so that even if one avenue is breached, the attacker still has to get through additional layers. Some suggestions: 1. Hardware router is good, it prevents easy entry into the LAN to a trusted state. 2. Software router next. Installing a good software router like shorewall is good too, it will deny most incoming connections that you don't expressly open up while still allowing outgoing connections as long as they are initiated from inside. Even if the attacker somehow manages to bypass the hardware router, they will still get packets dropped from inside. You can also allow only specific outgoing connections to prevent filesharing apps and other sundries from running, although I am much more lenient about those things with Linux than I would be with Windows. 3. Use hosts.deny and hosts.allow to only allow those services that you want to have access. You can allow liberal activity from 192.168.*.* or 10.*.*.* addresses since those are non-routable on the Internet and must originate on your internal LAN. 4. Send network services through an SSH tunnel where it makes sense. Services like VNC or X should always be pushed through a secure connection, never opened up on the Internet. 5. Limit all services that allow information to be gleaned. I allow POPS and IMAPS on my server but insist the users email accounts do not match up to their usernames. That way, even if you have the email address of someone on my system, you can't use that as an account name to try to dictionary attack the password. I also limit ssh access to only those accounts that need it, not all the accounts on the system. 6. Install an Intrusion detection system, like portsentry, hostsentry, Snort, etc. You can get advance warnings if your machine is being probed. This can be especially useful if you are exposed to the Internet in a DMZ but is actually also useful if the hardware firewall is compromised in some way and someone manages to open it up completely. 7. Install some type of logchecker that sends regular (daily) updates to you based on specific criteria. For instance, you might grep all login attempts on an FTP server if you run one so that you can tell when someone is trying to bypass security using invalid accounts or by trying dictionary attacks against a password. You might grep web server logs to see if someone is trying to access or search for formmail scripts or trying to use the mod_proxy to proxy out to an external connection. Or perhaps too many login failures on a secured directory. Just think of it as a layer castle defense. Build walls, also moats, interior choke points, cut off tunnel access, etc. Each time you can add a layer, you make yourself more secure. -- Bryan Phinney
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
