Mailinglist Archive: opensuse-security (423 mails)
| < Previous | Next > |
RE: [suse-security] AW: Squid on Firewall?
- From: "Thomas Michael Wanka" <tm_wanka@xxxxxxxxxxxxx>
- Date: Wed, 28 Mar 2001 14:52:47 +0200
- Message-id: <3AC1FABF.6003.49168082@localhost>
On 28 Mar 2001, at 8:08, Reckhard, Tobias wrote:
> However, of course you'll have programs running on the packet filter
> as well. First, there's the kernel. Then you've probably got syslogd
> and crond running.
A DHCP client is more likely. I would not have crond, the only thing
it had to do on such a computer is to ratate/compress logs, that
implies read write and delete rights to log files and that is the first
target for an intruder. Log files are to be append only in multiuser
mode, regular backups/logrotate functions are best done in
singleuser mode via serial terminal/console.
> Unless you're performing administration from the
> console only, you'll probably have sshd running.
For remote administration a serial line to a modem/ISDN server
(callback if possible) is the best thing to combine security with
comfort. This can be done and the cost compared to the level of
security one can achieve is marginal. And as a bonus, that way you
can alter even network configurations off site.
By the way, does someone here have ressources of a port of mtree
to Linux?
TIA
mike
> However, of course you'll have programs running on the packet filter
> as well. First, there's the kernel. Then you've probably got syslogd
> and crond running.
A DHCP client is more likely. I would not have crond, the only thing
it had to do on such a computer is to ratate/compress logs, that
implies read write and delete rights to log files and that is the first
target for an intruder. Log files are to be append only in multiuser
mode, regular backups/logrotate functions are best done in
singleuser mode via serial terminal/console.
> Unless you're performing administration from the
> console only, you'll probably have sshd running.
For remote administration a serial line to a modem/ISDN server
(callback if possible) is the best thing to combine security with
comfort. This can be done and the cost compared to the level of
security one can achieve is marginal. And as a bonus, that way you
can alter even network configurations off site.
By the way, does someone here have ressources of a port of mtree
to Linux?
TIA
mike
| < Previous | Next > |