Ok, let's say I'll put a firewall PC on my network... I have to create a masquerade rule to let the internet access my intranet web server right? (By the way, trying to find out how to do that under yast but don't get the diference between the option Source network and requested IP, so if someone help me on this I appreciate... There's several options to create a rule so please illucidate me) Doesn't this rule opens a hole in my intranet security if, let's say, my web server get's compromised? On 12/14/05, Crispin Cowan <crispin@novell.com> wrote:
miguel gmail wrote:
Please check if you are running X windows and if there is a screensaver active! Don't run X on servers!!
Why not? This is, what is the problem to run a X server on a server machine? I understand that it may take lots of resources, so I wont run KDE to say. But some packages do require (as far as I know) a X server (Oracle does, if I remember correctly).
Well, try not to run X on servers, because it is a memory and CPU hog, and you generally want your servers to have lots of memory and CPU available to serve clients.
But really REALLY don't run X on security-exposed servers, because X is very, very difficult to secure.
Is there anything wrong to run windowmaker? (i mean, security issues, not just performance issues).
It doesn't really matter which desktop or window manager you use. X and its raft of applications are fundamentally vulnerable, because a HUGE volume of code is running as root, and a lot of it connects to the network unless you actively configurate it not to. Another large problem with X on a security sensitive server is if you actually run desktop applications (mail clients, IM clients, P2P clients, OpenOffice, etc.) and they get compromised by some vulnerability in the application, then your server is compromised.
All of this is based on the premise that your server is far more important/valuable than just one desktop, because only one person depends on the desktop, while *everyone* in the organization depends on the server. But if we are just talking about the machines in your basement :) then you likely have one client and one server and they may be the same machine, in which case the "importance" argument is moot.
However, the security benefit of a hardened gateway machine (a firewall) is still strong, and it doesn't have to be a big machine. Either go buy a cheap, old, crappy i486 or something with 32MB of RAM and deploy it as a firewall, or go buy one of those $100 firewall appliances from Linksys or whatever. But get yourself a firewall, it is much better than hoping that Gaim has finally fixed all the vulnerabilities :)
Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here