This "question" makes very little sense. You need to hire a consultant.
Hi All
In a production environment what is the recommend security settings with performance in mind and only services that I will be providing is http, https, ssh2 - scp, smtp. (i.e. secure , but with as little overhead) Kernel 2.4.x and using iptables , postfix, stronghold apache.
Q.1 What services can hosts.deny & hosts.allow secure? (mainly in regards to the services that I'm using above)
Q.2 Should I use stateful connection tracking on all ports or only the ssh,smtp and https ports? What is the stateful connection overhead
Anything compiled with tcp_wrapper support. Or you can firewall. "What kind of toothpaste should I buy?" like. Depends on how many connections. Depends on your security needs.
Q3. What ICMP should you block and what must you answer directly or indirectly, so that you don't break other services or slow them down.
You can block all icmp if you want. or none. or allow pings, and maybe traceroutes. or block host unreachable, or not. again. this is not a real question. It's like asking "which car should I buy?".
Q4. What is recommend minimum ports and protocol that I must log, so that I can audit attacks , problems and keep logging overhead to a minimum. Given that our ISP environment has a lot of broadcast traffic. e.g.
Everything. Or maybe nothing. Or something in the middle. Do you actually plan to do anything with these log files? Can you store them securely? "What kind of house should I buy?".
Q5. What DOS of protection options are there with iptables and how do you workout the rate to limit @. I have syncookie protection enabled.
How many connections do you expect? What limits can you sustain? How much damage can you sustain? "Should I get the vegetable tempura, or some tamago and vegetarian inside out rolls?".
Q6. Is it still recommend to Reject mail server connections to port 113. Is the following setting correct: iptables -A INPUT -i eth1 -p tcp --dport 113 -j REJECT --reject-with tcp-reset
Do you want to allow ident lookups? "Should I put my money into a no-load mutual fund, or T-bills?".
Thanks in Advance
Steven
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/