[WBEL-users] easy to use firewall?
Phil Barnett
philb at philb.us
Mon Apr 4 14:21:15 CDT 2005
On Monday 04 April 2005 12:37 pm, Ganeshram Iyer wrote:
> Phil: Unfortunately we have a shortage of PCs in our tiny lab. We have
> more users than machines and time sharing is very common. I was lucky
> that someone hacked into our Windows Server thereby allowing me to
> push the Linux server option.
So, you got hacked and you still can't get the resources to do it right?
Typical bureaucratic shell games, eh?
> But the downside is the tradeoff. We do
> not have compilers on it and use it for these purposes alone:
> 1) Apache HTTP/HTTPS
There have been significant exploits for this one.
> 2) SAMBA
And this one.
> 3) SSH
And this one.
I predict there will be again in the future.
When you are locking down an RPM based server, it makes sense to run
rpm -qa
and look at what is installed. Be sure to rpm -e anything that you don't
actually need that is not part of the base system. Personally, I do a minimal
install and then yum install only the things I need on the box. Don't forget
to run ntsysv and turn off all the services that you don't need running.
If you have turned off all the services you don't use and are only exposing
the services you want to expose, there is no point to firewalling the
machine. This is called a bastion host. It's typical of Linux servers. What's
the point of making a machine that has ports 23, 80,8080, 443, 137,138,139 as
it's only available ports and then putting a firewall in front of it that
allows ports 23, 80,8080, 443, 137,138,139 to come through?
Run nmap against the server from the outside at a minimum and if you have the
time, install and run Nessus and scan the box with it. Once you are satisfied
that the box is exposing only the ports you want open, you are done. No
firewall necessary.
On the other hand, aging but built like a tank Compaq EN Deskpro's are about
$25 plus shipping on eBay. They make perfect firewalls. Just add a second NIC
or two. You can load IPCop via floppy over the network, so you don't need a
CDROM. Like this one: (which is actually quite overkill)
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&category=51118&item=5180454912&rd=1
Sometimes dumpster diving will yield workable firewall machines. Ask local
businesses if you can have a few older computers as they upgrade. I've been
able to get dozens of donated machines this way for our Linux user group.
But, if this server is already behind a firewall, that's significant as long
as that firewall is built properly and doesn't itself have a bunch of tools
on it to help a hacker along.
Good luck.
--
"In the beginning of a change, the patriot is a brave and scarce man, hated
and scorned. When the cause succeeds, however, the timid join him...for then
it costs nothing to be a patriot." -Mark Twain
More information about the Whitebox-users
mailing list