hiho@ll

somebody got my attention while he showed me that my system isn't really secure ;-)

what i now need/want is:
give me any idea you have which can make a firewall really hardcore!

this means:
think about a system which has no security and many services
anonymous ftp access with write privilege
very simple ssh2 access
samba
apache2
p2p (emule,amule such stuff)

what steps would you do to make this secure?
and please: nothing is too extreme!
i thought about making every service run in a vserver so if it gets hacked its only the vserver!
if it needs programming skills, its not a problem! (i think i will write a log file check, which notifies me at work if it notices a bad guy ;-) )

btw: is it possible to allow ssh access to a vserver if it comes from internet, and allow ssh to the whole machine if it comes from local LAN? (hmm, iptables?)

what i thought:
1. disable ping (iptables)
2. mix the ports (all above 1024) (apache2,p2p,ssh,ftp, samba is only allowed from local net)
3. generate extreme long passwords (and usernames too!! e.g. username: kdur836dk8745kfgndfglkj34578435)
4. very strict access for apache2,ssh,ftp (btw: how can i dissallow root access over ssh? i want to log in as simple user and do "su" do become root)
5. firewall iptables to allow only a few ip's from internet!
6. vserver for every service
7. log file backup
8. i also thought about password rotation! this means i write a prog which changes users passwords depending on a simple algorithm every hour or every day
[EDIT]
9. honey pot (vserver, every standard service running, ssh, ftp (anonymous access))
10. instant messaging system (event driven: on log in notify using ICQ or email (used for honey pot ;-) ))
[/EDIT]

[EDIT]
btw: how does port knocking work? e.g. does it depend only on the server side or needs the client modifications too?
[/EDIT]

hmm, i think that's all for now

thx@ll

I run a Gentoo based firewall and I find it very secure. If you search for IPTables you will find a plethora of information on the internet that is useful. Here are some of the links:

Gentoo Wiki - My Firewall is based of this.
THE IPTables tutorial

Those should contain enough information to get a secure firewall up and running.

4. On my Gentoo machine the ssh config is /etc/ssh/sshd_config. Open that file and go to the line that says PermitRootLogin put a no directly after that. Also in this file you can change the port for which SSH listens on.

As far as port knocking I believe that IPTables can do it without requiring any client modifications but that won't make your system any more secure because it's using different ports. IPTables can automatically re-route based on your conditions but if it does it to every packet then a sniff of port 22 will still result in an attack at your SSH service. I would suggest changing the port and changing the clients as well.

I would write more but I have to go. Good luck and I hope this helps!

yeah right, didn't thought about this on port knocking

well i think i will do the honeypot stuff too (it shouldn't be a problem, using a vserver, not? so the hacked honeypot can't get out of the sandbox (vserver) right?)
and the icq notification should be simple too
and password rotation is extrem crazy, so its the right stuff for me ;-)