On Sunday 09 March 2003 17:29, Michael Hoeller wrote:
Hello David, hello Matthias, hello list,
Davids your sugguestions "sound" good to my newbie ears I have reposted it with my remarks. Sorry this got a little bit too long but to cut off your
I'm a bit concerned that for a newbie, the answers coming back are along the lines of everything that is possible to do, to make for a very secure installation, rather than what Michael orginally asked, which was, what he "really needed to do". Michael you you need to balance the risks, and decide on the right cost/benefit tradeoff. Actually reaping the low hanging fruit, will bring most of the beneftis fairly simply and easily. So let's look at the question again : On Sunday 09 March 2003 09:46, Michael Hoeller wrote:
Here is the problem, I need to runn a productive server SuSE 8.0 to which some real terminals are connected (-> no harddrive) the terminals boot via tfpt and mount the certain drives via nfs. For "online"backups I run rsync. The server must be reachable for remote maintenance via isdn dialin, also telnet and ftp. The temporary connects to the internet for surfing and email should also be possible.
What would you suggest to protect the machine? It would be great if you could point me to the right direction that way I can focus on the things which are really needed.
Can you explain more about how those machines connect to the Internet, is it permanently on or via dialup? (If it's dialup then you might be able to take advantage of the /etc/ppp/ip-{up,down}.local scripts). Is the access via ISDN dialin, also the line used for 'temporary connects' to the net? The time and effort to spend on securing that network, depends on balancing the risks, and the amount of time you're able to put in on configuration and administration. There's not a lot of point in setting up Intrusion or Scan detection systems for that network, if it's on dialup, connected just a few hours a week, and you're not going to have time to monitor the IDS or scanner's output anyway. What is clear is : 0) Read Nix's Security FAQ at http://www.susesecurity.com/ 1) Check what services you are offering on the Internet connected machine (netstat -lp) 2) Set up an appropriate firewall, that only permits the UDP and TCP/IP client connections to things that are *required*. 3) Set up a cron job to ensure either YaST Online Update (or fou4s) runs and applies security fixes. 4) Use ssh(1), scp(1), sftp(1) or rsync -essh (rsync '-essh -c blowfish' will save CPU time on large transfers). Rob