If I have a little $60 Netgear router, and provide no services through it - do I have to worry about all this stuff? Its my understanding that no ports are being forwarded, so nothing can get through. Or am I mistaken?
- bill -----Original Message----- From: Todd A. Jacobs [mailto:nospam@;codegnome.org] Sent: Thursday, October 17, 2002 4:30 PM To: RedHat List Subject: Re: Tonight I got hacked. On Thu, 17 Oct 2002, linux power wrote: > I thought I had a good iptables firewall, but not good enough. Well > anyway it tooks a couple of months before it happend- A firewall is insufficient in and of itself. All a firewall does is allow or block access to certain ports. It doesn't control what kind of traffic flows through those sockets: that's up to the application or its application-layer proxy to sort out. If you want your system to be secure, you need to install a firewall of course, but you also need to disable unnecessary services, tighten access controls, limit privelege, monitor log files, and many other tasks. "Security is a process, not a product." I don't think it's been updated for psyche yet, but take a look at the bastille hardening scripts and see what you can learn. At a minimum, you should: - Only install packages you know you'll need. Avoid "everything plus the kitchen sink" installs. - Use ntsysv to remove services you don't use or understand. - Make heavy use of /etc/hosts.deny and /etc/hosts.allow to restrict access. - Disable xinetd unless you *really* need it. If you do, disable any of its child services that you don't explicitly need. - Install portsentry. - Configure tripwire and READ the reports. - Install logsentry and READ the reports. Switching to Windows will not solve your problem, since Windows has even more exploits than Linux and is much harder to secure and monitor. And even if you choose to do so, the list of tasks isn't really all that different: lock it down, and then monitor, monitor, monitor. There is no quick fix for security. If you insist on looking for one, you *will* get hacked again, regardless of the OS you choose to use. -- "The only thing that helps me maintain my slender grip on reality is the friendship I share with my collection of singing potatoes." - Holly, JMC Vessel *Red Dwarf* -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
