On Mon, Dec 16, 2002 at 09:15:45AM -0800, Burke, Thomas G. wrote: > I've thought about that, but really, My firewall only allows > connection to ssh, sendmail, and http, so there's not a lot to worry > about security-wise.
Two reactions. First, firewalls aren't as tight as people think. There are frequently ways through them. Second, "only" and the list ssh, sendmail, and http don't necessarily go together. OpenSSH has had bad security holes in the past, it might again, keeping it up to date is important, make sure your approach will make it easy enough for you to keep yours up to date. Sendmail has historically been buggy. Lately there have been fewer security holes, but the configuration file is still very complex. Complexity is dangerious. You want to keep sendmail up to date too. (I use qmail, but it is annoying, I am considering moving to Postfix.) httpd. What is "httpd". That can be anything from little boa serving up static pages to big Apache doing multiple virtual domains and lots of scripting. There seems to always be another security bug in those script collections. > I don't feel like having to learn something besides ipchains, since > I've got that working good. The little I have played with Linux's firewall software, it doesn't look that bad to learn. But I don't use it. I keep my services trimmed, I keep what I have up to date, I try not to change the configuration in ways that are beyond my understanding of the package in question and its security implications. Red Hat's recent distributions default to pretty good security, not deviating too far from that without careful thought is smart. But I don't know if that platitude applies as far back as 6.2. > As long as I can keep it updated to a certain point With 6.2 you are soon going to be on your own watching bugtrak and compiling from sources to fix things. And when the first big bug comes out you will find the fix in the newest version of Foo, and that might start an upgrade cascade that is far more painful than going with 7.3 or 8.0. Yes, there is maybe more up front work to go with a new distribution, but don't underestimate what it means to be on your own in a few months... -kb, the Kent whose afection for Red Hat when up with the 7s. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
