MichaelHoeller@t-online.de (Michael Hoeller) writes:
Hello David,
This is the constellation:
Here is the problem, I need to runn a productive server SuSE 8.0 to which real terminals are connected (-> no harddrive) the terminals boot via tfpt and mount the certain drives via nfs. For "online"backups I run rsync. The server must be reachable for remote maintenance via isdn dialin, also telnet and ftp.
David Smith wrote:
Use SuSEfirewall2. Edit the configuration file /etc/sysconfig/SuSEfirewall2
Would it really be enough to run SuSEfirewall2? I like to hook on Matthias answer:
If possible drop ftp and telnet and use ssh / sftp instead. Or at least chroot the ftp process and don't let it run as root. ok, ssh and sftp are no problem but for some maintenace tasks root asscess is needed. What would be a strategie in this case?
The temporary connects to the internet for surfing and email should also be possible. If it's connected to the internet install a *tight* firewall. Guess SuSEfirewall2 can do this but what about ssh and sftp and dailin?
Install IDS software (eg AIDE) HIDS or NIDS?, an attach from the inner side is a less reasonable issue, though still (in theory) possible.
Install chkchroot. Install portsentry in case your firewall is dropped for some reason. I never used them, what can they do in the current senario?
I guess the main probelm are the temporarely connects to the internet and the dial in connection for maintenace. How can I make sure that only *one* certain number can dialin?
You can use isdnctrl for this task. See "man isdnctrl" for "addphone" and "secure". You may additionally want to use papcrypt for ipppd (man ipppd). Now: How do you want to connect to the internet? Also via ISDN or via another interface? Regards, Matthias