Forum OpenACS Q&A: Re: basic firewall features on RH 8.0

Posted by Jerry Asher on
After setting up the basic firewall with lokkit, rm lokkit.

It used to not be able to read the current rules (even if it wrote them) and understand what your firewall is trying to do.  So all new configs started from scratch and wasted your previous configuration.  Has that been fixed, or is it still the typical pos?

Use lokkit to start, then turn to emacs.

Also, there is a terrific book, Real World Linux Security by Toxen that comes with enormous amounts of firewall rulesets.  For instance, you really don't want to stop iptables and restart it to load new rules, and Toxen shows you how to eliminate the microseconds of vulnerability. Great for the paranoid but difficult for the arm-chair sysadmin.  It also comes with scripts (for non-commercial use) that make logwatch useful, by stripping out all the daily crapola.

Do buy a copy of SSH, The Secure Shell by Barrett & Silverman.  There are some wonderful features in SSH that can make it much easier for you to present to the world a tightly locked down box, while presenting to you and only to you, the  vast wasteland.

And do remember, a firewall is not enough, because one day you will forget to reenable it, or it will not load.  (This actually has been the subject of a redhat errata this week -- a bug in their newest kernel kept iptables from loading on certain machines)    So turn off all unnecessary services.  Consider removing gcc and even emacs.

If your server is offsite, than consider failsafeing it. Install cron jobs to ensure the firewall is up and that you  have connectivity and if you do not to take various failsafe actions: reboot, replace /etc with a failsafe version from a tar file, etc.

Look into chkrootkit and build a CD of executables for chkrootkit to run from.  Keep that CD in place and schedule chkrootkit to run nightly.  Consider booting from a write-protected floppy (something that can help raided sys disks too) or booting from CD.  Note unfortunately that if you do boot from write-protected removable media, that you will be running on old kernels until you can change out the media.  Some folks think that's prudent anyway.

Look into bastille.  It's useful as a teaching tool, but I didn't like it for the somewhat non-standard (presumably better) tools it used.

Backup your system.  I have a website that does nothing more than serve up a MIME encoded encrypted tar backup of my website and pg db along with a few choice keywords.  This little known trick lets me obtain recent backups out of the google cache or the Internet wayback machine.

Lastly, if you have a wifi ethernet card, place tin-foil around it.  Mars is very close right now, and experts have predicted that populations of martian hybrid babies will skyrocket.