[WBEL-users] easy to use firewall?

Phil Barnett philb at philb.us
Mon Apr 4 14:21:15 CDT 2005 

On Monday 04 April 2005 12:37 pm, Ganeshram Iyer wrote:
> Phil: Unfortunately we have a shortage of PCs in our tiny lab. We have
> more users than machines and time sharing is very common. I was lucky
> that someone hacked into our Windows Server thereby allowing me to
> push the Linux server option. 

So, you got hacked and you still can't get the resources to do it right? 
Typical bureaucratic shell games, eh?

> But the downside is the tradeoff. We do 
> not have compilers on it and use it for these purposes alone:
> 1) Apache HTTP/HTTPS

There have been significant exploits for this one.

> 2) SAMBA

And this one.

> 3) SSH

And this one.

I predict there will be again in the future.

When you are locking down an RPM based server, it makes sense to run

rpm -qa

and look at what is installed. Be sure to rpm -e anything that you don't 
actually need that is not part of the base system. Personally, I do a minimal 
install and then yum install only the things I need on the box. Don't forget 
to run ntsysv and turn off all the services that you don't need running. 

If you have turned off all the services you don't use and are only exposing 
the services you want to expose, there is no point to firewalling the 
machine. This is called a bastion host. It's typical of Linux servers. What's 
the point of making a machine that has ports 23, 80,8080, 443, 137,138,139 as 
it's only available ports and then putting a firewall in front of it that 
allows ports 23, 80,8080, 443, 137,138,139 to come through?

Run nmap against the server from the outside at a minimum and if you have the 
time, install and run Nessus and scan the box with it. Once you are satisfied 
that the box is exposing only the ports you want open, you are done. No 
firewall necessary.

On the other hand, aging but built like a tank Compaq EN Deskpro's are about 
$25 plus shipping on eBay. They make perfect firewalls. Just add a second NIC 
or two. You can load IPCop via floppy over the network, so you don't need a 
CDROM. Like this one: (which is actually quite overkill)

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&category=51118&item=5180454912&rd=1

Sometimes dumpster diving will yield workable firewall machines. Ask local 
businesses if you can have a few older computers as they upgrade. I've been 
able to get dozens of donated machines this way for our Linux user group.

But, if this server is already behind a firewall, that's significant as long 
as that firewall is built properly and doesn't itself have a bunch of tools 
on it to help a hacker along.

Good luck.

-- 

"In the beginning of a change, the patriot is a brave and scarce man, hated 
and scorned. When the cause succeeds, however, the timid join him...for then 
it costs nothing to be a patriot." -Mark Twain

More information about the Whitebox-users mailing list