From owner-freebsd-questions Sat May 26 4:34:35 2001 Delivered-To: freebsd-questions@freebsd.org Received: from gscamnlm03.wr.usgs.gov (gscamnlm03.wr.usgs.gov [130.118.4.113]) by hub.freebsd.org (Postfix) with ESMTP id 4E85437B422 for ; Sat, 26 May 2001 04:34:32 -0700 (PDT) (envelope-from rsowders@usgs.gov) To: david@banning.com Cc: questions@freebsd.org MIME-Version: 1.0 From: "Robert L Sowders" Subject: Re: security question Date: Sat, 26 May 2001 04:34:28 -0700 Message-ID: X-MIMETrack: Serialize by Router on gscamnlm03/SERVER/USGS/DOI(Release 5.0.7 |March 21, 2001) at 05/26/2001 04:34:30 AM MIME-Version: 1.0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG

Forgive me this is long winded.

If you want a simple step by step = setup for a ipf firewall on freebsd-stable try:

http://www.schlacter.= dyndns.org/public/FreeBSD-STABLE=5Fand=5FIPFILTER.html

If you have in= stalled webmin with the SSL option then you should be safe for remote login= s.

Do not trust telnet, or ftp.  It is too easy to pick off pass= words that are transmitted in the clear.  Only allow ssh or tunneled p= rotocols, to pass in from the outside.  With the correct firewall setu= p, outgoing connections of any kind should be ok.  I mean it will not = jeprodize any inside machines, clear text passwords on the outside receivin= g machines will still be out there for anyone to grab.

After you have= followed the security guidelines from the handbook you are protected from = 95% of the weekend hacker wanna-bees.

It is not advisable to run a we= b server behind your firewall and allow connections in from the outside. &n= bsp;The entire network topolgy becomes complicated in a hurry, and your req= uired knowledge of things like proxy servers, firewalls, and web servers wi= ll grow exponentially.  If you still insist on doing it this way then = here goes.  If someone discovers a new exploit for your webserver then= all your protected machines will be at risk.  It is much better to se= tup a DMZ with two firewalls, and keep all your protected machines behind a= nother with the web server behind it's own, possibly with a proxy server in= front of the web server.  This way all incoming connections for the w= ebserver pass through a firewall which only permits http traffic to the pro= xy which in turn speaks for the web server.  It also has the added ben= efit of accelerating the web server.  This way all web server exploits= have to make it past the proxy first.  Your protected machines behind= the other firewall need to get to the web server itself to update web page= s, this can be done with a VPN tunnel between the two firewalls.

The = firewall in front of your protected machines allows nothing to pass through= the firewall that is not asked for by the protected machines and every out= going packet is NATed so no one can get the ip of the protected machines. &= nbsp;Hackers are forced to either hack the firewall or induce a protected m= achine to install a trojan tunnel (usually via infected email attachments).=

While there are still ways to drill through firewalls, firewalker co= mes to mind, you have still put up enough layers of defense that almost 99.= 9% of all sunday hackers will look else where for something easier. (IIS we= b server perhaps.:-)  You would have to have something extremly intere= sting or valuable to hold someones attention for very long.

If you go= t a few bucks you might want to look at http://www.gnatbox.com

This = is a firewall and operating system (FreeBSD+IPF) that runs on a floppy. &nb= sp;You put it in, boot the machine, presto, instant firewall.  They gi= ve it away for home use.  They also have a full featured version for 3= 00.00 that has almost everything you could ask for in a firewall.  Eve= n has a stealth feature to make the firewall look like a black hole on the = internet.  All this with a web interface you can manage from the insid= e.

Good luck, hope, I've answered most of your questions.

 = ;

 
David Banning <sky=5Ftracker@yahoo.c= om>
Sent by: owner-freebsd-questions@FreeBS= D.ORG
05/26/2001 03:24 AM GMT
Please respond to david

To: questions@freebsd.org
cc:
<= FONT SIZE=3D2>bcc:
Subject: security question


I am setting up a small network of Windows desktops that are
accessi= ng the net through a FreeBSD server. If I disable telnet, ftp,
and every= thing in inetd.conf leaving only http open, what are my
risks?

I have webadmin running.
I'd would= *like* telnet and shell (rshd) to run, so I can telnet
in. I can't imag= ine how someone could break in to a system, so
I am pretty lost in asses= sing this risk.

I know SSH i= s better for telneting in to the server, but then
it has to be on every = machine that you telnet in from.

When I hear "don't use telnet unless you have to", I
wond= er. I know several sites that have telnet where I can login,
and those p= laces are alot bigger that my little'ol place.

If I use telnet, is there really such a risk?
=
I'm going all over the place here. May= be someone could reccomend a good
place to learn about this topic?
I = started with the FreeBSD Security How-to which is a good starter.


=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
Do You Y= ahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsub= scribe freebsd-questions" in the body of the message

= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message