[WBEL-users] easy to use firewall?

Ganeshram Iyer ganeshramiyer at gmail.com
Tue Apr 5 12:30:58 CDT 2005 

On Apr 4, 2005 2:21 PM, Phil Barnett <philb at philb.us> wrote:
> On Monday 04 April 2005 12:37 pm, Ganeshram Iyer wrote:
> > Phil: Unfortunately we have a shortage of PCs in our tiny lab. We have
> > more users than machines and time sharing is very common. I was lucky
> > that someone hacked into our Windows Server thereby allowing me to
> > push the Linux server option.
> 
> So, you got hacked and you still can't get the resources to do it right?
> Typical bureaucratic shell games, eh?
> 
> > But the downside is the tradeoff. We do
> > not have compilers on it and use it for these purposes alone:
> > 1) Apache HTTP/HTTPS
> 
> There have been significant exploits for this one.
> 
> > 2) SAMBA
> 
> And this one.
> 
> > 3) SSH
> 
> And this one.
> 
> I predict there will be again in the future.
> 
> When you are locking down an RPM based server, it makes sense to run
> 
> rpm -qa
> 
> and look at what is installed. Be sure to rpm -e anything that you don't
> actually need that is not part of the base system. Personally, I do a minimal
> install and then yum install only the things I need on the box. Don't forget
> to run ntsysv and turn off all the services that you don't need running.
> 
> If you have turned off all the services you don't use and are only exposing
> the services you want to expose, there is no point to firewalling the
> machine. This is called a bastion host. It's typical of Linux servers. What's
> the point of making a machine that has ports 23, 80,8080, 443, 137,138,139 as
> it's only available ports and then putting a firewall in front of it that
> allows ports 23, 80,8080, 443, 137,138,139 to come through?
> 
> Run nmap against the server from the outside at a minimum and if you have the
> time, install and run Nessus and scan the box with it. Once you are satisfied
> that the box is exposing only the ports you want open, you are done. No
> firewall necessary.
> 
> On the other hand, aging but built like a tank Compaq EN Deskpro's are about
> $25 plus shipping on eBay. They make perfect firewalls. Just add a second NIC
> or two. You can load IPCop via floppy over the network, so you don't need a
> CDROM. Like this one: (which is actually quite overkill)
> 
> http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&category=51118&item=5180454912&rd=1
> 
> Sometimes dumpster diving will yield workable firewall machines. Ask local
> businesses if you can have a few older computers as they upgrade. I've been
> able to get dozens of donated machines this way for our Linux user group.
> 
> But, if this server is already behind a firewall, that's significant as long
> as that firewall is built properly and doesn't itself have a bunch of tools
> on it to help a hacker along.
> 
> Good luck.
Awesome amounts of useful information Phil. Thanks for it all. I will
be working on it for a while. The main firewall is a hardware
router/firewall separating our LAN from other LANs in the network. It
only blocks incoming ports except for 80 and 22. So I am looking for a
stronger server OS that will be able to hold up against attacks (at
least drive by hacks) on those ports. Windows and IIS sucked ar** in
that area.
And thanks to everyone for your responses. Being a part time
student/administrator for our univ lab means that I can use all the
advise I can get.
Thanks
Ganesh

More information about the Whitebox-users mailing list