Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: Securing Fedora Core 4
From: Will Yonker (aragonxdcsnow.com)
Date: Fri Sep 23 2005 - 13:05:48 CDT
<quote who="Charles Heselton">
> Well, those kinds of things should be blocked at your gateway. It's
> much faster, and just as secure to handle this in a router's ACL,
> than it is on a per machine basis. This way, you only need to worry
> about configuring the host firewall for internal or "allowed"
> threats. I'm defining "allowed threats" as services that you allow
> through your firewall(s), i.e. DNS, HTTP, SMTP, etc.
These machines are handling NAT and acting as Internet gateways. These
sites are rather small (Less than 25 users each) so cost is a real factor.
>> >> The hosts will receive email for the domain so spam filters
>> >> are required.
>> > So, every host will be an MTA?
>> No but every Linux machine will. The client machines run Windows
>> XP. There are 3 offices at 3 different sites with 3 different
>> domain names...
> Gotcha. I guess I'm probably just missing the whole scope of what
> you're trying to do. So that makes things difficult to speculate
> accuracy. I wouldn't expect the clients to be on linux (yet). ;-)
I should have better defined the roles of these boxes. I didn't want to
make the email too long or I would have put everyone to sleep. ^^ I have
a problem at times between being to cryptic and too explanatory.
> Well, they are basically one and the same. While the users may be
> ignorant, despite attempts at training ;-), spam, phishing, malware,
> all comes from "hostiles on the Internet". The question is really
> (and you don't have to answer this - on list atleast :-) ), "what's
> your money maker?" Not wanting to get hacked, is not a critical
> asset. Webservers (containing a company's web presence), development
> images, money (if you're a bank), personal information of
> employees/customers, intellectual property.....these are all examples
> of things that you're trying to protect. Once you identify the
> systems that contain/manipulate/transfer that data, you can secure
> it more appropriately.
Okay, time for me to come clean. The REAL reason I want to secure these
machines is: To help make a better Internet. Really I'm just trying to
keep my boxes from being used to annoy other admins. That and it's really
annoying when someone does hack your box because most root kits leave a
mess. Stuff stops working correctly...
There is very little valuable information on these machines that is not
encrypted from the client side. And even that information is of little
interest even if someone did get it.