“In the last article, we installed Linux with only those
packages we absolutly needed. (If you have not read my previous
article, you should do so now, as it is the base from which this is
built on.) Now comes the detail work, turning your gateway into
fortress. The first thing to understand is there is no way to be
completely secure. There is just not enough time to do it all,
Corporations employ huge IT departments, whose sole purpose in life
is to secure their networks, and still they get cracked. Just
accept it and get on with your life. Our real goal here is to keep
honest people honest, keep the Script Kiddies out and slow the rest
down, giving you opprotunity to discover them. Ideally, this should
be done right after the clean install, before the system ever gets
put on the Internet. This article assumes you know something about
Linux, how to install it, how to edit various configuration files,
and that you can log in as root.”
“I also assume you are setting up a firewall system and have no
intention of running DNS, DHCP, web, ftp or telnet server. If you
intend to run any of these services, I recommend setting up
seperate machines. Setup a DMZ on your network, a system which is
secured but allows connections from system outside your network.
This way if an intruder does penetrate your server, he will have to
start all over to penetrate your firewall system and you will
hopefully discovered his breakin before he is able to get access to
your internal network.”
“In the world of Computer Security, Knowledge is Power. Frankly
the Security Experts are always one step behind the Crackers, most
security issues are not discovered by the Experts, but by the
Crackers and are plugged only after they have been exploited.
You need to keep up to date on new problems, at the very least
you should be updating the packages as they come out. Type
“rpm -qa > packages.txt”, this gives you a list of the packages
and version numbers installed on your system, then go to Redhat’s
web site and download the updated packages. While you are there you
should read the security advisories and implement any changes they
suggest. If you are really proactive, subscribe to both the BugTraq
and CERT mailing lists.”