| View previous topic :: View next topic |
| Author |
Message |
Dick Hertz
Tux's lil' helper
Joined: 17 Apr 2003
Posts: 98
Location: Pacific Northwest, USA
|
 Posted: Tue Jan 03, 2006 7:23 am Post subject: Security comments? |
 |
|
How does all of this sound:
1. I have a local DNS server running on my firewall that only answers inquiries on the non-public interfaces.
2. The public server behind my firewall is running qmail and sshd. Its home network is NFSd to my Mac Mini, but ONLY inside the network. (What I'm getting at here is, what services should not be run on the same box?)
3. All ports are blocked to the with the exception of 22, 80, 443, and 993. I'm running OpenBSD with pf and "scrub in all no-df random-id min-ttl 255." All TCP ports are set to synproxy state. I know that punching holes in the firewall is Not a Good Idea, but how else can I make these services available to the outside world?
4. SSH is only allowed via public-key.
5. Outbound connections from the server to the client machines is blocked. The server can answer the client machines via states though.
Any suggestions for improvements? |
|
| Back to top |
|
 |
unclecharlie
Apprentice
Joined: 19 Dec 2005
Posts: 186
Location: Colorado, USA
|
| Posted: Tue Jan 03, 2006 5:49 pm Post subject: One suggestion... |
|
|
You could change your SSHD port to a high numbered non-root port. That way, the script kiddies won't be filling up your security logs  . In general this is a good idea as it makes things harder for an intruder without making anything harder for you...
And if you are really paranoid, you could run your webserver and/or DNS server in a chroot jail...
Charlie |
|
| Back to top |
|
|
sundialsvc4
Guru
Joined: 10 Nov 2005
Posts: 436
|
| Posted: Tue Jan 03, 2006 5:58 pm Post subject: |
|
|
| Look at the Hardened Gentoo project. If you expect your system to be attacked, this enables services to run and to do what they need to do without running as root. |
|
| Back to top |
|
|
|
Networking & Security
