LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-30-2006, 09:02 PM   #1
bones996
Member
 
Registered: Sep 2003
Location: Pennsylvania
Distribution: Debian Squeeze
Posts: 106

Rep: Reputation: 15
new firewall setup


I was wondering what some of the security guru's might think about installing a new firewall this way & how well it might work.

Firewall

* Monolithic kernel - no usb, sound, video, mass storage, etc.

* all unnecessary services disabled

* extra users & groups removed - ftp, news,

* minimal install & remove extra base packages - install upgrades from trusted cd (all rpms gpg signed),

* Extra packages - bastille, blockhosts, sshdfilter,

* Daily checks with tripwire (database on cdr), rkhunter, chkrootkit, & antivir
Weekly checks with lsat & tiger

script is encrypted with shc (http://www.datsi.fi.upm.es/~frosal/)

* SSH on different port (not 22) - no root login

* /etc/hosts.deny
All: ALL

* /etc/hosts.allow
sshd: 192.168.1.5 (penguin command)

* /etc/rc.d/rc.local
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

* configure network access, get new updates if any
 
Old 07-31-2006, 07:20 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
sounds good to me...

BTW, isn't icmp_echo_ignore_broadcasts redundant since you're already using icmp_echo_ignore_all??

also, remember to activate spoof protecton:
Code:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
and here's a few other kernel parameters you might want to look into:
Code:
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/tcp_rfc1337
google them to determine whether you want them activated or disabled...

another thing you should look into is patching your kernel with grsecurity:

http://grsecurity.net/

just my ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is a firewall necessary in this setup? cerrayon Linux - Security 4 06-27-2004 08:34 PM
help with client side NFS-firewall setup and server side NIS-firewall setup niverson Linux - Networking 3 02-02-2004 09:52 AM
Firewall Setup Q nixtech Linux - Networking 1 08-15-2003 09:47 PM
Setup A Firewall kelper Linux - Security 1 07-14-2003 03:57 PM
Firewall setup HELP! vous Linux - Software 9 05-20-2003 07:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration