361 lines
6.4 KiB
HTML
361 lines
6.4 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Securing Your Connection</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="DSL HOWTO for Linux"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Configuring Linux"
|
|
HREF="configure.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Performance Tuning and Troubleshooting"
|
|
HREF="tuning.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>DSL HOWTO for Linux</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="configure.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="tuning.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="SECURE">4. Securing Your Connection</H1
|
|
><P
|
|
> This section is intended for those who have not previously dealt with the
|
|
security implications of having a full-time Internet connection. Or may not
|
|
understand some of the basic concepts of security. This is meant to be just a
|
|
quick overview, not a comprehensive examination of all the issues! Just
|
|
enough to give you a gentle shove in the right direction. Please see the <A
|
|
HREF="appendix.html#LINKS"
|
|
>Links section</A
|
|
> for sites with more details. Also, your
|
|
distribution surely has plenty of good information as well. </P
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN623">4.1. Security Quick-start</H2
|
|
><P
|
|
> Before going on-line full-time, do not underestimate the need for securing
|
|
your connection. You will have two things that mischief makers and crackers
|
|
of the world are looking for: bandwidth, and a Unix-like OS. You instantly
|
|
become an inviting target. It is just a matter of time before someone
|
|
comes knocking. Possibly a very short time. A quick start:
|
|
</P
|
|
><P
|
|
> <P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> Turn off any daemons and services that aren't absolutely essential, and
|
|
can be accessed from outside. You can't get compromised through a port
|
|
that isn't open. Use <B
|
|
CLASS="COMMAND"
|
|
>ps</B
|
|
> and <B
|
|
CLASS="COMMAND"
|
|
>netstat</B
|
|
>
|
|
to see what services are running. (See man pages for specifics). Do you
|
|
really need <B
|
|
CLASS="COMMAND"
|
|
>named</B
|
|
>, <B
|
|
CLASS="COMMAND"
|
|
>sendmail</B
|
|
>,
|
|
<B
|
|
CLASS="COMMAND"
|
|
>telnet</B
|
|
>, <B
|
|
CLASS="COMMAND"
|
|
>ftp</B
|
|
> running and accessible
|
|
to one and all? If not sure, then they should not be running. Then take
|
|
whatever steps necessary to make sure they don't start again on the next
|
|
boot. See your distribution's documentation on this.
|
|
|
|
</P
|
|
><P
|
|
> Many distributions start some well known services by default. You may not
|
|
have done anything yourself explicitly to start these. And may not even
|
|
realize these are indeed running. But it is up to you to know what is
|
|
running, and how safe it is. Don't rely on a <SPAN
|
|
CLASS="QUOTE"
|
|
>"default"</SPAN
|
|
>
|
|
installation of any distribution to do this for you, or to be secure.
|
|
Chances are it isn't.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> If you decide some services are essential, make sure you are running the
|
|
most current version. Exploits are found, and then get fixed quickly.
|
|
Don't get caught with your pants down. A full-time connection makes
|
|
staying updated very easy -- and very important. Check with your
|
|
distribution to see what new packages are available. Then stay in
|
|
touch. If they have a security mailing list, get on it.
|
|
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Take passwords seriously, using non-dictionary <SPAN
|
|
CLASS="QUOTE"
|
|
>"words"</SPAN
|
|
>. Use
|
|
shadow passwords (this should be a standard feature of newer
|
|
distributions). Do not allow remote root logins. See the
|
|
<A
|
|
HREF="http://www.tldp.org/HOWTO/Security-HOWTO.html"
|
|
TARGET="_top"
|
|
>Security
|
|
HOWTO</A
|
|
> for more details and ideas.
|
|
|
|
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Use <B
|
|
CLASS="COMMAND"
|
|
>ssh</B
|
|
> instead of <B
|
|
CLASS="COMMAND"
|
|
>telnet</B
|
|
>
|
|
or <B
|
|
CLASS="COMMAND"
|
|
>rsh</B
|
|
>.
|
|
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Set up a firewall to limit access, and log connection attempts. This will
|
|
be different depending on which kernel series you are using:
|
|
<B
|
|
CLASS="COMMAND"
|
|
>ipfwadm</B
|
|
> for 2.0, <B
|
|
CLASS="COMMAND"
|
|
>ipchains</B
|
|
> for 2.2,
|
|
and <B
|
|
CLASS="COMMAND"
|
|
>iptables</B
|
|
> for 2.4. See the below HOWTOs for a more
|
|
in depth discussion on this and other security related topics:
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> <A
|
|
HREF="http://tldp.org/HOWTO/Security-Quickstart-HOWTO/index.html"
|
|
TARGET="_top"
|
|
>Security-Quickstart-HOWTO</A
|
|
>
|
|
and for Redhat based distros
|
|
<A
|
|
HREF="http://tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/index.html"
|
|
TARGET="_top"
|
|
>Security-Quickstart-Redhat-HOWTO</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <A
|
|
HREF="http://www.tldp.org/HOWTO/Firewall-HOWTO.html"
|
|
TARGET="_top"
|
|
>Firewall
|
|
HOWTO</A
|
|
>
|
|
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>
|
|
<A
|
|
HREF="http://www.tldp.org/HOWTO/Security-HOWTO.html"
|
|
TARGET="_top"
|
|
>Security
|
|
HOWTO</A
|
|
>
|
|
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>
|
|
<A
|
|
HREF="http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html"
|
|
TARGET="_top"
|
|
>IPCHAINS
|
|
HOWTO</A
|
|
>
|
|
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <A
|
|
HREF="http://netfilter.samba.org"
|
|
TARGET="_top"
|
|
>Netfilter/Iptables docs</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <A
|
|
HREF="http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO.html"
|
|
TARGET="_top"
|
|
>IP
|
|
Masquerade HOWTO</A
|
|
>
|
|
|
|
</P
|
|
></LI
|
|
></UL
|
|
>
|
|
|
|
|
|
|
|
</P
|
|
><P
|
|
> Additional references are in the <A
|
|
HREF="appendix.html#LINKS"
|
|
>Links Section</A
|
|
>
|
|
below.
|
|
|
|
</P
|
|
></LI
|
|
></UL
|
|
></P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="configure.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="tuning.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Configuring Linux</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Performance Tuning and Troubleshooting</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |