Hi, On 27-Sep-01 Ray Dillinger wrote:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
Is this a public web server?
I've gone through the system and shut down all network services I'm not using -- for example squid came down, because I am not using proxy service at all, and ftpd came down because I don't want to provide ftp services. Rlogin, fingerd, telnetd, hylafax, etc, are also gone. No trusted hosts are defined for rlogin and friends to use anyway; the other boxes on my network are not considered "safe".
I'm using an apache server which I've been through extensive configuration on -- removing most of the modules because I wasn't using them. CGI is still there, but it's not activated on any host except the "default" host (which is only accessible from 127.0.0.1) and there are only two CGI scripts; These are the english-language "search" scripts that hunt through the documentation for keywords and topics, used by the SuSE help system, which I've kept onboard -- both of which I've audited for security. There were similar scripts to search in other languages, but since I'm not using other languages, they are gone now.
Finally, the 'su' binary is moved to sbin, and not available to any user except root.
Uhm... That one seems to be a "zip'ped unzip" ;)
I keep copies of my websites offline, on floppy disks. Ditto my inetd.conf, httpd.conf, and a few other configuration files. and, finally, my source code -- so if the machine ever gets subverted, I can restore them easily.
Now, here is my question: Do I get material additional security from my firewall, or does over-the-top paranoia on the other aspects of the config obviate the need for it?
You did the Right Thing by switching off all these unused services. Unfortunately you didn't state wether this machine is the "outpost" of a LAN connected to the internet or an internal web server with some developement tools on it, or just your client PC connected via ISDN/cable/modem. If it is a publicly accessible server I would definitely firewall it, no matter how many backups I'd have to reconstruct the system. There are many ways to "own" (crack) an improperly secured web server, not only brute-force attacks which lead to a system crash, but also more sinister, silent creep-ins of more skilled individuals who could use your server as a leap point to start attacks against other systems by cracking your server, installing high-port file transfer demons (ftp, ssh/sftp, rcp, whatever), uploading some funny stuff and compiling it using your pre-installed developement tools. Without firewalling, you'd have no real protection against these kinds of attacks. If you have a public web server - go and firewall it, for God's sake. If it's a client PC at work/at home you could use the already-mentioned SuSE personal firewall, which is easy to configure and understand. Of course there is no need for hyperventilated paranoia, but a good sense of security and the acceptance of the fact that even the smallest home system can be the target (and thus often the source for further attacks) of malicous system crackers seems to be appropriate.
Bear
Boris Lorenz