Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] Production app or web server firewall set-up - questions
  • From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
  • Date: Fri, 18 Jan 2002 02:35:59 -0700
  • Message-id: <00fb01c1a003$895cf040$6400030a@xxxxxxxxxxxx>
This "question" makes very little sense. You need to hire a consultant.

> Hi All
>
> In a production environment what is the recommend security settings with
> performance in mind and only services that I will be providing is
> http, https, ssh2 - scp, smtp. (i.e. secure , but with as little overhead)
> Kernel 2.4.x and using iptables , postfix, stronghold apache.
>
> Q.1 What services can hosts.deny & hosts.allow secure?
> (mainly in regards to the services that I'm using above)

Anything compiled with tcp_wrapper support. Or you can firewall. "What kind
of toothpaste should I buy?"

> Q.2 Should I use stateful connection tracking on all ports or only the
> ssh,smtp and https ports? What is the stateful connection overhead
like.

Depends on how many connections. Depends on your security needs.

> Q3. What ICMP should you block and what must you answer directly or
> indirectly, so that you don't break other services or slow them down.

You can block all icmp if you want. or none. or allow pings, and maybe
traceroutes. or block host unreachable, or not. again. this is not a real
question. It's like asking "which car should I buy?".

> Q4. What is recommend minimum ports and protocol that I must log, so that
I
> can audit attacks , problems and keep logging overhead to a minimum.
> Given that our ISP environment has a lot of broadcast traffic.
> e.g.

Everything. Or maybe nothing. Or something in the middle. Do you actually
plan to do anything with these log files? Can you store them securely? "What
kind of house should I buy?".

> Q5. What DOS of protection options are there with iptables and how do you
> workout the rate to limit @. I have syncookie protection enabled.

How many connections do you expect? What limits can you sustain? How much
damage can you sustain? "Should I get the vegetable tempura, or some tamago
and vegetarian inside out rolls?".

> Q6. Is it still recommend to Reject mail server connections to port 113.
> Is the following setting correct:
> iptables -A INPUT -i eth1 -p tcp --dport 113 -j REJECT --reject-with
> tcp-reset

Do you want to allow ident lookups? "Should I put my money into a no-load
mutual fund, or T-bills?".

> Thanks in Advance
>
> Steven

Kurt Seifried, kurt@xxxxxxxxxxxx
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/




< Previous Next >
References