Thanks, I appreciate your time. Larry Nobs ----- Original Message ----- From: "Kent Borg" <kentborg-rhl@xxxxxxxx> To: <redhat-list@xxxxxxxxxx> Sent: Thursday, October 16, 2003 4:35 PM Subject: Re: Firewall - Limit Geographic Area > On Thu, Oct 16, 2003 at 12:37:23PM -0500, lrnobs wrote: > > Remember that I am a beginner at this and am trying to learn about > > all the weapons that are available to protect my little site. > > Security. A lot of people have a lot of good advice about security, > but much of it is unrealistic. > > Attempting to be reasonable, here is my current recipe for security: > > - Redhat's default install is quite secure (and at least a zillion > times more secure than a Microsoft Windows machine can be). > > - Redhat's distribution is *only* secure if you keep up to date with > their bug fixes. Redhat is conservative about what they release > as a fix, so you want apply them all. And apply these fixes > promptly! RHN makes it easy. (Consider buying one of their > Enterprise products, they have much longer life span during which > Redhat will supply updates.) > > - You do not have to understand everything that Redhat has done in > their configuration (this is because they have done a decent job), > but you *do* have to understand everything you do that deviates > from Redhat's configuration, or you *will* introduce security > holes. This means you can start out not being a know-it-all, and > learn more as you get in deeper. (But you should learn enough > right away to understand what I talk about here.) > > - Get another Linux computer, possibly a notebook, and use it as a > safer place to learn, a place which won't disrupt your business. > Keep it secure too. > > - Do not let the passwords for your server get in the hands of > hardware you don't control. This means: > > - do not reuse passwords between your server and, say, random > websites on the internet (it is OK to write passwords down if > it makes it possible to not reuse passwords, just don't write > down in a stupid place, such as putting your ATM pin on your > ATM card); > > - use good passwords, this means make them long, which Linux > allows, try to have their components be things you didn't > choose (that way no one could guess what you would > choose--people are very bad at being random), what I do is > *randomly* choose three english language words, connect them > with hyphens, and use that (if you would like I can supply > more information on exactly how I do any why it is secure); > > - do not let your server passwords into hardware you don't > control (not at Kinkos, not at airport Kiosks, not over > unencrypted links such as telnet, unencrypted pop, etc., > instead login at your server or through your own laptop, use > ssh, encrypted pop, etc.); > > - don't ssh into a computer you don't control and then ssh into > your server, that is like typing on a Kinkos keyboard). > > - If you think you have been broken into, assume the compromised > computer is out to get you and will report everything it can back > to the Bad Guys. Get necessary pure data (not software!) backed > up on floppy or CD, get evidence of what happened if you can, then > rebuild from first principles. Reformat, use original media, > apply all fixes, do fresh downloads of any extras you collected, > etc. > > - Do not operate as root except when you have to. Fire up X as you, > and type the extra password when you do any adminstration. > > - Be leery of fancy things being done for you as a user. Use the > simpler e-mail program over the fancy one with all the bells and > whistles. Turn off features that smack of things being done for > you automatically, those features are more likely to be subverted. > Worry about Javascript in your web browser, it has been associated > with lots of bugs and security holes in the past, consider keeping > it turned off except when you need it for a trusted site that > requires it, then turn it off again. Decide whether you really > need to install Flash or other web plugins. Open Office is a cool > software suite, but it has a powerful macro feature, be worried > about what documents you hand it--where did they come from?, one > of these days there will be a macro virus or worm that uses that > avenue, be cautious and you could well avoid that bug, I plan to. > > - Do not strip your server down so far that you can't readily use it > anymore. To do that well you will need to know more than a newbie > does, you will likely introduce more vulnerabilities than you > remove. > > - Do not depend on a firewall for security. Firewalls are > complicated to set up because they require a significant > understanding of networking, and you could easily get it wrong. > Make your system secure without a firewall. Only then add a > firewall, and only as an *extra* protection. > > - As you learn more, consider ways you might make Redhat's > installation more secure. For example, probably use Postfix > (which was designed to be secure, and Redhat installs it for you) > instead of sendmail (which is old and groady), maybe install and > use Maradns (which was written to be secure) instead of bind > (which is also groady). > > - Do not blindly trust anyone, stop and think. This includes not > trusting any advice I give you--stop and think about what I say, > check out my assertions of fact (such as whether Redhat's default > install is reasonably secure, whether their updates are > conservative, whether Postfix and Maradns have good security > reputations, etc. www.google.com/linux is your friend). > > Warning: some will disagree with what I write here. Listen to them, > see if what they say makes sense. Think. > > > > -kb, the Kent who is waiting for the fan to get dirty. > > > P.S. Non-security advice: Keep a log of everything you do to your > server. It will not only be useful as a reference, but it will slow > you down in how you mangle your server by forcing you to take those > notes. > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
