On Sun, Mar 09, 2003 at 02:00:01PM +0100, Michael Hoeller wrote:
Hello David,
This is the constellation:
Here is the problem, I need to runn a productive server SuSE 8.0 to which real terminals are connected (-> no harddrive) the terminals boot via tfpt and mount the certain drives via nfs. For "online"backups I run rsync. The server must be reachable for remote maintenance via isdn dialin, also telnet and ftp.
David Smith wrote:
Use SuSEfirewall2. Edit the configuration file /etc/sysconfig/SuSEfirewall2
Would it really be enough to run SuSEfirewall2? I like to hook on Matthias answer:
It depends on how secure you want the system to be. My answer was maybe a little simplistic, and others have suggested extra security measures which are a good idea.
If possible drop ftp and telnet and use ssh / sftp instead. Or at least chroot the ftp process and don't let it run as root. ok, ssh and sftp are no problem but for some maintenace tasks root asscess is needed. What would be a strategie in this case?
ssh in as a normal user, then su to root. Alternatively, you can allow ssh logins as root, but this is slightly less secure. If you know the IP (or range of IPs) which you will use to log in over ssh, you can restrict the firewall to allow only these IPs to contact the SSH port.
The temporary connects to the internet for surfing and email should also be possible. If it's connected to the internet install a *tight* firewall. Guess SuSEfirewall2 can do this but what about ssh and sftp and dailin?
ssh and sftp/scp are implemented by the SSH daemon running on the server. All the firewall has to do is to allow the port connections through. This is simple to configure. If you want really good security, you might consider a separate firewall machine, running a dedicated firewall distribution (e.g. IPCop). This could handle your dialout needs; you would then either need a second ISDN card for the server for dialins (where you would probably still want SuSEfirewall2 running), or you could run a more standard SuSE distribution on your firewall machine, suitably tied down. HTH...