The first thing!
1) make sure dhcpd listens only on your internal network. That is done by adding the line
DHCPDARGS=eth1
in /etc/sysconfig/dhcpd. Of course, substitute eth1 by your internal network interface (i.e. the network card connecting your LAN to the box)
Some other things to think about:
2) block ports 67 and 68 in your firewall config for incoming traffic from the outside (just to be sure)
3) if you enable OMAPI, block its listening port (7911 by default) from the outside.
4) if you use OMAPI, make sure all transactions are TSIG signed.
5) in your firewall config, block all traffic from and to your internal network subnet on ADSL. Even if they hijack an address it won't help them much.
The most important one is the first option mentioned. 2 and 5 are also good to implement. For home networking, OMAPI is rarely used. If you don't know what it is, you're not using it :)
By the way, whether squid or mail is offered is pretty irrelevant for dhcpd security.
Have fun, Eric.
Jochen Kächelin wrote:
What's the first thing to do for securing
a dhcp-server running on a machine offering adsl,squid and mail?
