Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
okay. i'm trying to make our home network a
little more secure. especially disabling
remote logins over ppp0 on the
gateway/dns/dhcp server, just because that
freaks me out more than anything else. ppp0
is our ADSL by the way. currently, i've
disabled FTP, SSH, TELNET, and RLOGIN over
PPP0 in /etc/rc.d/rc.local (slackware 8.0)
with this:----------
##FTP
/sbin/ipchains -I input 1 -p tcp -i ppp0
--destination-port 21 -s 0.0.0.0/0 -j DENY
/sbin/ipchains -I input 1 -p udp -i ppp0
--destination-port 21 -s 0.0.0.0/0 -j DENY
##SSH
/sbin/ipchains -I input 1 -p tcp -i ppp0
--destination-port 22 -s 0.0.0.0/0 -j DENY
/sbin/ipchains -I input 1 -p udp -i ppp0
--destination-port 22 -s 0.0.0.0/0 -j DENY
##TELNET
/sbin/ipchains -I input 1 -p tcp -i ppp0
--destination-port 23 -s 0.0.0.0/0 -j DENY
/sbin/ipchains -I input 1 -p udp -i ppp0
--destination-port 23 -s 0.0.0.0/0 -j DENY
##RLOGIN
/sbin/ipchains -I input 1 -p tcp -i ppp0
--destination-port 513 -s 0.0.0.0/0 -j DENY
/sbin/ipchains -I input 1 -p udp -i ppp0
--destination-port 513 -s 0.0.0.0/0 -j DENY----------
is this enough security for a busy ~10/15
computer home network? what else should i
disable over ppp0? http is the only real
server that really needs to be able to be
accessed by the outside world. would it be
wise to disable samba/netatalk over ppp0 as
well or is that less of a security risk?
Depends on how you've got your samba itself setup. But disabling it over PPP wouldn't do any harm. Might not make it any safer though if you already only allow connects from your internal network.
About those ipchains rules. Blocking tcp on most of those is enough. But if you really want to block those ports you might want to make the -p all. You can also just illiminate the -p switch. This way you'll only have to define one rule per port you want to block. And if you are gonna be blocking rlogin you might as well be blocking rsh too.
But why don't you just turn these services off in the inetd.conf or xinetd instead of blocking them with ipchains?
Since your http server is going to be the only service you are running you should make sure that check the developers site regularly for bug fixes and updates.
If you want to start securing specific files because you are still paranoid that someone is gonna break in then you should look at the chattr command.
But anyways there are millions of manuals on the net on how to secure a linux machine, they could tell you a lot more then I could.Mik
0 
 |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
