2009/11/2 Daniel Bush <dlb.id...@gmail.com>: > I was following Rick's recent post about penetration testing with some > interest. I'm looking at complying with anz e-gate for e-commerce > transactions. ANZ has this declaration form for internet sites that you > have to sign. One of the tick boxes says "Do you operate a firewall that is > regularly updated?"
I'm a bit late in the party but still wanted to add my two cents if that's OK. Some relevant points I learned during the PCI DSS compliance process we've gone through: 1. "They" also care not just about preventing people getting unauthorised access to your server but also in making it difficult to get data out (e.g. by someone with an "inside knowledge"). So firewall rules should also limit outgoing connections to specific hosts. E.g. you want to talk to specific, hopefully more trusted, DNS and NTP servers, specific upstream SMTP servers (instead of allowing access to just about any SMTP server in the world) and maybe specific yum update servers, but not more. Since rules could be added to allow you temporary access outside for specific tasks, it might be prudent to verify once in a while that they are back to the way you expect them to be. 2. Application firewalls can add a lot to the simple "block everything except ports 80 and 443" iptables. I'm talking about mod_security and having its rules updated regularly to catch attempts to exploit holes in known application as they get discovered (e.g. http://www.gotroot.com/tiki-index.php?page=mod_security+rules). 3. "They" care about auditing and accountability - the rule of thumb is "no shared accounts" - if there are more than one users on the system then each should use their own account and "sudo ..." for each privileged command. It also makes it easier to track who did what and when (bash HISTTIMEFORMAT='%F %T ' is also very useful, not just for "Them"). 4. SE Linux is a major headache, I seem to be in the mainstream by disabling it for now. But it appears that once you get to learn it and tweak it properly it can add a lot to the security on your server and limit the damage done by a potential cracker. e.g. allow HTTP access to the yum servers only by the yum process, or send mail only from specific programs/scripts. The best tutorial I found about SE Linux so far resides in http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/ (I still have to finish reading it) In general - you can look at this as "ah yeh, the security lawyers and paper pushers are at it again" but I found that giving attention to these requirements and the thinking behind them makes a lot of security sense (most times - anti-virus for purely linux environment is pretty useless from what I've researched so far) and should end up in more secure servers. Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html