need hardcore firewall! gentoo, 2.6.11-gentoo-r3
hiho@ll
somebody got my attention while he showed me that my system isn't really secure ;-)
what i now need/want is:
give me any idea you have which can make a firewall really hardcore!
this means:
think about a system which has no security and many services
anonymous ftp access with write privilege
very simple ssh2 access
samba
apache2
p2p (emule,amule such stuff)
what steps would you do to make this secure?
and please: nothing is too extreme!
i thought about making every service run in a vserver so if it gets hacked its only the vserver!
if it needs programming skills, its not a problem! (i think i will write a log file check, which notifies me at work if it notices a bad guy ;-) )
btw: is it possible to allow ssh access to a vserver if it comes from internet, and allow ssh to the whole machine if it comes from local LAN? (hmm, iptables?)
what i thought:
1. disable ping (iptables)
2. mix the ports (all above 1024) (apache2,p2p,ssh,ftp, samba is only allowed from local net)
3. generate extreme long passwords (and usernames too!! e.g. username: kdur836dk8745kfgndfglkj34578435)
4. very strict access for apache2,ssh,ftp (btw: how can i dissallow root access over ssh? i want to log in as simple user and do "su" do become root)
5. firewall iptables to allow only a few ip's from internet!
6. vserver for every service
7. log file backup
8. i also thought about password rotation! this means i write a prog which changes users passwords depending on a simple algorithm every hour or every day
[EDIT]
9. honey pot (vserver, every standard service running, ssh, ftp (anonymous access))
10. instant messaging system (event driven: on log in notify using ICQ or email (used for honey pot ;-) ))
[/EDIT]
[EDIT]
btw: how does port knocking work? e.g. does it depend only on the server side or needs the client modifications too?
[/EDIT]
hmm, i think that's all for now
thx@ll
Last edited by Thinking; 02-08-2006 at 01:11 AM.
|