From: Thomas Herlea (Thomas.Herleaesat.kuleuven.ac.be)
Date: Mon Dec 22 2003 - 16:59:28 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday 22 December 2003 18:09, Thomas Carrié wrote:
> I would like to know what mscec level you would choose to put a
> server on the internet considering that you run apache on it and
> that you need ssh access to configure the server from you office.

I use msec level 5 (Paranoid), with defenses relaxed just enough to
let me use the computer the way I need to. I suppose you can do that,
too. (It's true that, after installing Mandrake Linux first back in
2001, I had to discover by experimentation what I needed to override
from the default settings of the level to be able to use the
computer.)

> I have choosen "Security Level 4" but it gave me many troubles : I
> was not able to ping my server "ping localhost", I found out that I
> had to uncheck "Ignore ICMP Echo".

If you "echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all" as root you
enable ping replies by the kernel. Because of msec this will not
persist unless you have "accept_icmp_echo (yes)" in
/etc/security/msec/level.local (and, of course, "from mseclib import
*" for level.local to work). You can set this from DrakSec, the
"Network Options" tab, "Accept ICMP echo" selector.

Your firewall rules have to allow pings to get in and replies to go
out.

Hope this helps,
Thomas.
--
[Random fortune cookie]:
There are no working trigger cables, unless they are too short
                -- Ralf's Laws of Observational Astronomy n°2

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]