CMC,
If you really want to lock down the box you will not only want the firewall as
the first line of defence, but you will want to identify whether you need or can
disable the following:
- every service that is listed in /etc/inetd.conf
- every program that has been started from /etc/rc2.d
("ps aux" can help here, disable sendmail if you're not using it).
- every setuid and setgid program on the system
("find / -perm +6000 -type f -ls" can help here).
This is a "defence in depth" policy. You're firewall is the first line of
defence. Disabling common but unneccessary inetd services is the next line.
Disabling unneccesary running daemons the next. Finally if someone does break
into your machine but hasn't got root priviledges, disabling setuid or setgid
programs is the last line of defence as setuid/setgid programs are major
potential security holes.
A web server I set up using the above strategy initially has something like 40
ports open (use "netstat -tcp;netstat -udp") and 80+ setuid/setguid scripts. In
the end it had two ports open (http and ftp) and one setuid program
(/bin/login).
Gary
_______________________________________________
Stormlinux-users-list mailing list
[EMAIL PROTECTED]
http://www.stormix.com/community/lists/listinfo/stormlinux-users-list
