Thanks for the hints.
I have run up2date and at least updated the kernel, iptables and a few other packages. But still I cant turn the firewall logging on.That mean I have in my rules when testing for badflags a log instruction that log eventually badflags combinations 15 times a minute. Here I must give the --log-prefix /var/log/badflags.
And that worked before I got hacked, but afterwards I get this log warning about the prefix as if the path to the logfile is not valid.
"Todd A. Jacobs" <[EMAIL PROTECTED]> wrote:
On Thu, 17 Oct 2002, linux power wrote:
> I thought I had a good iptables firewall, but not good enough. Well
> anyway it tooks a couple of months before it happend-
A firewall is insufficient in and of itself. All a firewall does is allow
or block access to certain ports. It doesn't control what kind of traffic
flows through those sockets: that's up to the application or its
application-layer proxy to sort out.
If you want your system to be secure, you need to install a firewall of
course, but you also need to disable unnecessary services, tighten access
controls, limit privelege, monitor log files, and many other tasks.
"Security is a process, not a product."
I don't think it's been updated for psyche yet, but take a look at the
bastille hardening scripts and see what you can learn. At a minimum, you
should:
- Onl! y install packages you know you'll need. Avoid "everything plus
the kitchen sink" installs.
- Use ntsysv to remove services you don't use or understand.
- Make heavy use of /etc/hosts.deny and /etc/hosts.allow to restrict
access.
- Disable xinetd unless you *really* need it. If you do, disable any
of its child services that you don't explicitly need.
- Install portsentry.
- Configure tripwire and READ the reports.
- Install logsentry and READ the reports.
Switching to Windows will not solve your problem, since Windows has even
more exploits than Linux and is much harder to secure and monitor.
And even if you choose to do so, the list of tasks isn't really all
that different: lock it down, and then monitor, monitor, monitor.
There is no quick fix for security. If you insist on looking for one, you
*will* get hacked again, regardless of the OS you choose to use.
--
"The only thing that helps me maintain my slen! der grip on reality is the
friendship I share with my coll! ection of singing potatoes."
- Holly, JMC Vessel *Red Dwarf*
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
http://home.no.net/~knutove/knut_ove_hauge_kuren.htm
Yahoo! Mail har fått nytt utseende
Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok
