Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
AW: [suse-security] Production app or web server firewall set-up - questions
  • From: Peer Stefan <stefan.peer@xxxxxxxx>
  • Date: Fri, 18 Jan 2002 11:29:04 +0100
  • Message-id: <3559BA35534FD511A1200002557C39B0AFC6@xxxxxxxxxxxxxxxxxxxxx>
Question is, how paranoid are you?
My suggestion is to use a firewall and put the webserver in a DMZ. Shut down
all services you don't need. Allow the services needed in /etc/hosts.allow
and permit everything else in /etc/hosts.deny. Allow ssh from dedicated
hosts only. Don't allow mail, instead redirect it to the mail server and
deal with it there.
Ad iptables: are you using a firewall or do you build your rules for
yourself? I'd suggest using SuSEfirewall2-2.1, which is very easy to
configure. (FW_SERVICES_EXT="http 443" and
FW_TRUSTED_NETS="<trusted_host_ip>,tcp,ssh")

If you want to secure apache, you can use squid to act as transparent proxy.
Redirect all http-stuff to squid, enable squidgard and block/redirect all
requests, which looks a bit suspicous (e.g. "GET HTTP/1.0 /cgi-bin/root.exe"
et al)

Most important thing: keep your system up to date and an eye on the
logfiles.

regards,
Stefan





-----Urspr√ľngliche Nachricht-----
Von: Steven Thompson [mailto:steven@xxxxxxxxxxxxxx]
Gesendet: Freitag, 18. Jänner 2002 10:20
An: SuSE security mailing list (E-mail)
Betreff: [suse-security] Production app or web server firewall set-up -
questions


Hi All

In a production environment what is the recommend security settings with
performance in mind and only services that I will be providing is
http, https, ssh2 - scp, smtp. (i.e. secure , but with as little overhead)
Kernel 2.4.x and using iptables , postfix, stronghold apache.

Q.1 What services can hosts.deny & hosts.allow secure?
(mainly in regards to the services that I'm using above)

Q.2 Should I use stateful connection tracking on all ports or only the
ssh,smtp and https ports? What is the stateful connection overhead like.

Q3. What ICMP should you block and what must you answer directly or
indirectly, so that you don't break other services or slow them down.

Q4. What is recommend minimum ports and protocol that I must log, so that I
can audit attacks , problems and keep logging overhead to a minimum.
Given that our ISP environment has a lot of broadcast traffic.
e.g.

Q5. What DOS of protection options are there with iptables and how do you
workout the rate to limit @. I have syncookie protection enabled.

Q6. Is it still recommend to Reject mail server connections to port 113.
Is the following setting correct:
iptables -A INPUT -i eth1 -p tcp --dport 113 -j REJECT --reject-with
tcp-reset

Thanks in Advance

Steven






--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx

< Previous Next >
This Thread
  • No further messages