Hello!! I want to switch progressively to Linux (As a programmer, I become more and more ashamed of not having experience using it.) and I'm connected to the 'net. I will try to download the update from SuSE 6.3 to 7.0 an install it. Since I am permanently connected to the 'net, I wonder what precautions I should take before/after the installation. My connection is through a cable modem if it is a useful info. Should I be as paranoid as with a Win98 system or is the default config in SuSE more/less secure? Thank you for your help! Patrick
Hi Patrick,
Hello!!
I want to switch progressively to Linux (As a programmer, I become more and more ashamed of not having experience using it.) and I'm connected to the 'net.
I will try to download the update from SuSE 6.3 to 7.0 an install it.
Since I am permanently connected to the 'net, I wonder what precautions I should take before/after the installation. My connection is through a cable modem if it is a useful info. Should I be as paranoid as with a Win98 system or is the default config in SuSE more/less secure?
Thank you for your help!
Patrick
Once your installation is complete, check the update directory on a mirror
from ftp.suse.com and install all security-relevant update packages. Get
the netscape packages, and the libc upgrade!
Then, check on which ports your machine listens, using
`netstat -anp|grep LISTEN´. Reduce the amount of servers listening on tcp
and udp sockets to the bare minimum, disable everything tat you don't
need (keeping in mind that people usually only need the client side of
some package, this might be easy.). Start with /etc/inetd.conf and end
with /etc/rc.config, /etc/rc.config.d/* and see the netstat output again.
Roman.
--
- -
| Roman Drahtmüller
Thank you all for the good replies you gave me already, I will have some info to go through. One thing is that I see that everybody in this list is talking about firewall scripts. What do those scripts actually? Do they just configure the system for it to be like a firewall? Is the firewall a feature of Linux and you just need to configure it? Are there additional firewalls to install as an application? Also, what is the technology used in those firewalls? I mean it could be static and/or dynamic, port oriented and/or application oriented. I just hope that those questions do not seem ridiculous in the world of Linux. At least they are not in "the other world". Thanks again for your help! Patrick At 15:47 30/10/00 +0100, you wrote:
Hi Patrick,
Hello!!
I want to switch progressively to Linux (As a programmer, I become more
more ashamed of not having experience using it.) and I'm connected to
and the 'net.
I will try to download the update from SuSE 6.3 to 7.0 an install it.
Since I am permanently connected to the 'net, I wonder what precautions I should take before/after the installation. My connection is through a
cable
modem if it is a useful info. Should I be as paranoid as with a Win98 system or is the default config in SuSE more/less secure?
Thank you for your help!
Patrick
Once your installation is complete, check the update directory on a mirror from ftp.suse.com and install all security-relevant update packages. Get the netscape packages, and the libc upgrade!
Then, check on which ports your machine listens, using `netstat -anp|grep LISTEN´. Reduce the amount of servers listening on tcp and udp sockets to the bare minimum, disable everything tat you don't need (keeping in mind that people usually only need the client side of some package, this might be easy.). Start with /etc/inetd.conf and end with /etc/rc.config, /etc/rc.config.d/* and see the netstat output again.
Roman. -- - - | Roman Drahtmüller
"Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - - --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Thank you all for the good replies you gave me already, I will have some info to go through.
One thing is that I see that everybody in this list is talking about firewall scripts. What do those scripts actually? Do they just configure the system for it to be like a firewall? Is the firewall a feature of Linux and you just need to configure it? Are there additional firewalls to install as an application?
Usually, we just talk about scripts, no additional products as a kernel extension would be. The script has the task of giving certain things a name so that the more or less experienced user/admin can easily configure the setup. There is always a narrow path to go btw making the thing more complicated or easier to use. It's best to try it out and to dig into it for a few minutes. I find that it's best to know what's going on behind the scenes. The firewall-initialization script can just be as easy as ipchains -F input # blocks this network, logging: ipchains -A input -p tcp -j DENY -l -s 123.234.0.0/255.255.0.0 # pop connection ipchains -A input -p tcp -j ACCEPT -s my-mailrelay.provider.com -d 0/0 110 # mails out, smtp ipchains -A input -p tcp -j ACCEPT -s my-mailrelay.provider.com 25 # irc ipchains -A input -p tcp -j ACCEPT -s my-ircserver 6667 # http traffic: ipchains -A input -p tcp -j ACCEPT -s 0/0 80 # blackhole all the rest: ipchains -A input -p tcp -j REJECT # DNS traffic inbound: ipchains -A input -p udp -j ACCEPT -s my-dns 53 # blackhole all UDP: ipchains -A input -p ucp -j DENY # log all ICMP, let it through: ipchains -A input -p icmp -j ACCEPT -l
Also, what is the technology used in those firewalls? I mean it could be static and/or dynamic, port oriented and/or application oriented.
These rules above are all static, poked into the kernel by the ipchains command. They happen on ISO/OSI layer 3+4 (ip, (tcp,udp,icmp)). So you see, there's no rocket science behind it.
I just hope that those questions do not seem ridiculous in the world of Linux. At least they are not in "the other world".
Not at all. Some things in the docs have been written with small facts taken granted already. The best time to start writing about something is when you learn it.
Patrick
Roman.
--
- -
| Roman Drahtmüller
participants (2)
-
Patriiiiiiiiiick
-
Roman Drahtmueller