Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] Newbie firewall installation question
  • From: Jörg Frühbrodt <joerg@xxxxxxxxxxxxxx>
  • Date: Thu, 12 Jul 2001 16:15:19 +0200
  • Message-id: <20010712161519.B1669@xxxxxxxxxxxxx>
Hi Maurits,

> As I want to install as little as possible what's the best "quick"
+solution.
> Under Yast Select "Minimum" and after that Network and Security packages?
You may also use the DMZ config. For some reason it installs packages like
nkita and nkitb where the latter includes unsafe software like rlogin,
rexec etc. I recommend to scrap and replace them with OpenSSH. Here is a
cut down SuSE installation:

aaa_base-2001.1.23-0
aaa_dir-2001.1.17-0
aaa_skel-2001.1.26-0
autolog-0.35-192
base-2001.1.15-0
bash-2.04-87
bc-1.06-10
bdflush-1.5-294
bzip-1.0.1-5
dump-0.4b20-4
compress-4.2.4-287
cpio-2.4.2-295
cron-3.0.1-296
db-3.1.17-13
devs-2001.1.2-3
diffutils-2.7-31
e2fsprogs-1.19-7
file-3.32-35
fileutils-4.0.35-3
findutils-4.1.6-14
gawk-3.0.6-41
gdbm-1.8.0-225
ash-0.2-294
glibc-2.2-7
gppshare-2.95.2-149
scanlogd-2.2-5
gzip-1.3-4
kbd-1.03a-39
less-358-26
libz-1.1.3-284
lilo-21.6-17
seccheck-1.6-4
man-2.3.10d69s-171
mktemp-1.5-150
modutils-2.4.1-3
net-tools-1.57-6
netcfg-2000.12.14-2
secumod-1.6b-3
pam-0.72-169
pam_devperm-2000.12.1-6
perl-5.6.0-39
ps-2001.1.22-0
rpm-3.0.6-26
sash-3.4-170
sh-utils-2.0-6
shadow-20000902-34
syslogd-1.3.33-197
sysvinit-2.78-143
terminfo-5.2-8
tripwire-1.2-258
textutils-2.0.10-5
timezone-2.2-7
util-linux-2.10q-7
vim-5.7-42
yast-1.09-7
ed-0.2-277
eject-2.0.2-185
openssh-2.3.0p1-5
k_deflt_24-2.4.0-7

I've replaced the default kernel k_deflt_24-2.4.0-7 with the latest version
and patches. There are quite a few other packages that require an update.
Check on www.suse.com.

> Furthermore I was thinking to partition my disk with a app. 12MB /boot 128>
+/swap (there's about 90 ram) and the rest app. 1G /
> Is that a "correct and smart setup for a dedicated firewall. Would LVM be
+an
> option? (Would think not but...)
>
> Any help would be appriciated. (Tried smoothwall before but Zyxel modem
> doesn't want to work whith chat, does with wvdial.
You may create these partitions, too: (excerpt from /etc/fstab)

/dev/sda3 /usr ext2 defaults,ro,nodev 1 1
/dev/sda4 /var ext2 defaults,nodev 1 2
/dev/sda7 /tmp ext2 defaults,noexec,nosuid,nodev 1 2

Note that /usr is set read-only. /tmp disallows program execution, creation
of device files and disarms suid programs. Separating /var from / prevents
denial of service attacks.

There are a lot more things to do to harden linux. Fortunately there is
documentation on the net:

http://www.linuxdoc.org/guides.html
http://www.interhack.net/pubs/fwfaq
http://nic.com/~dave/Security/
You can also buy good books:
Building internet firewalls, 2nd Edition, O'Reilly
Practical UNIX and Internet Security, 2nd Edition, O'Reilly

Have a lot of fun
--
Jörg Frühbrodt <jf@xxxxxxxxxxxxx>
IT-Consulting
Lessingstr. 9
D-14532 Kleinmachnow b. Berlin
T +49 (0) 33 20 38 14 20
F +49 (0) 33 20 38 14 23
M +49 (0) 172 38 71 63 6
http://www.fruehbrodt.de
http://www.fruehbrodt.org


< Previous Next >
References