> Along with Pmfirewall you should also configure portsentry to watch for > port scans. Pmfirewall, using Ipchains, is a wonderful first step, but a > single layered security scheme isn't much security at all. I wouldn't use > anything less then two layers and thats cutting things down to bare bones. > these days, when it comes to keep your machine secure from unwanted > visitors redundency is the way. Along with Portsentry, installing LogCheck is wise. It too is made by Psionic. Logcheck parses the logs, saving only the pertinant information, and mails them each hour to root, or whomever. > > I will tell you that the hosts.deny file continues to grow daily since > these guys just don't take no for an answer and they're still trying to > gain access. their ip numbers are all over my firewall logs and portsentry > continues to log their scans and enter their ip addresses in the > hosts.deny file so that it remembers them. > If you the following line to the hosts.deny file, you needn't worry about a vast majority of problems: ALL:ALL@ALL,PARANOID That tells the machine, for programs using TCPWrappers, to deny everyone access to everything, and block any machine whose name does not match its IP. If you need to use INET services on the Linux machine, add the following lines to hosts.allow: in.telnetd: 192.168.0.3 bar.foo.com That's just for example. Replace in.telnetd with whatever program you wish to use, and 192.168.0.3 with which ever machine you want to connect. Also, if you add the following lines to the sysctl.conf (IIRC, that's what Mandrake calls it): net.ipv4.conf.all.rp_filter = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.icmp_echo_ignore_all = 1 And if you're going to all that trouble, you might as well do the following: In /etc/securetty comment out everything except tty1. Then root can only log onto tty1. If you need more root, you can log on and su. For a good degree of security, remove the rpm binary. Copy it to a floppy disk, or three, and store them away safely. Without rpm, it's impossible for both you and nefarious users to add anything to the computer. If you also remove the compiler, that increases security , but makes life difficult. Consider using Tripwire as it checks the integrity of your important programs. It won't stop an intrusion, but you'll be alerted promptly. Another program, called sXid, which also runs as a cron job, tracks changes in s[ug]id programs. It's available at http://the.wiretapped.net/security/host-security/sxid/ Regards, Nathan
