(Seen on the Metro Detroit LUG list -- respaced for ease of reading) Subject: Re: Nevermind about the 3com 3c905b - I got it working Date: Mon, 16 Nov 1998 21:25:26 -0600 (EST) From: Nate Riffe To: "Dean M. Durant" CC: "'Linux.Users.Group@umich.edu'" , "'mdlug@collie.net'" On Mon, 16 Nov 1998, Dean M. Durant wrote: > > Now I can ping - a million thanks to everyone who helped. What was it? - a > stupid assumption on my part - that the 3c59x.o included with RH 5.1 was > the same as that compiled from beckers C source code. It was not. > > Now for my next question. Linux Security - If we put a linux box on the > Internet, how hard is it to secure? I was looking at this book, Hacker > Proof, and it seems like Unix/Linux has a lot of holes, maybe more than NT > or VMS - I welcome all replies, outraged or otherwise. > > Also, Linux on the space shuttle - True? > > Well, for one thing, NT does not even offer some of the more notorious services- such as the "r" services and rpc- either by default or without installing more software (AFAIK). My recommendation is to upgrade to the latest release kernel if you haven't already. Run a 'netstat -a' to see what network services are running. Permanently turn off anything you won't need and the ones you can't come up with a specific reason to leave on, in other words, the ones you think you "might want to use sometime." What's left is a fairly short list of servers to check for security problems. Next, set up a firewall. Redhat makes this fairly easy, if not straightforward. What I did was create a file in /etc/rc.d called rc.firewall containing ipfwadm commands to install all the rules in my firewall. A good set of ipfwadm rules can be had from the IP-Masquerade mini-howto, just leave out the forwarding rules and any rules that apply to network interfaces you don't have if you don't have multiple interfaces and/or don't intend to forward IP traffic. After symlinking it to /etc/rc.d/init.d/firewall, I added it to runlevel 3 using Red Hat's runlevel editor under Control Panel. If you have local users, ask yourself, "Do I trust these people?" If the answer is no, then you'll have your work cut out for you. If the answer is yes, then ask yourself, "Do these people trust people I don't trust?" If the answer is yes, then that's the same situation as not trusting your users (I got bit here once). You may want to check local security even if you trust everybody who's local. www.geek-girl.com, www.rootshell.com, and www.l0pht.com have extensive archives of security advisories, reports, patches, and exploits submitted by hackers, crackers, vendors, and victims around the world dating back to the early nineties. Also keep in mind that a secure system today may not be in a month. To (mis?)quote Max from the movie _Strange_Days_, "It's not about whether or not you're paranoid, it's about whether or not you're paranoid enough." -Nate