Date: 18 Feb 1998 11:54:56 +0100 From: Benedikt Stockebrand <benedikt@devnull.ruhr.de> To: questions@FreeBSD.ORG, isp@FreeBSD.ORG Subject: Re: Books on security Message-ID: <873ehh41z3.fsf@devnull.ruhr.de> In-Reply-To: mgraffam@mhv.net's message of "Wed, 18 Feb 1998 00:00:24 -0500 (EST)" References: <Pine.LNX.3.96.980217234042.3140A-100000@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
mgraffam@mhv.net writes:
> Hmm, well my first suggestion would be to read "Practical UNIX and
> Internet Security" by Garfinkel and Spafford. After that, there is a
> book called "Internet Security" (forget the author's name, and I don't
> have my copy around, sorry). Reading these books won't do much good though
> unless you follow up for you specific system. That is, read the CERT
> warnings, read through the 8lgm archives, check out www.rootshell.com
> etc. Before I install any piece of software on my system, I search these
> archives looking for trouble spots.
Plus:
Chapman/Zwicky: Building Internet Firewalls
O'Reilly & Assoc.
Interesting mailing lists:
bugtraq@netspace.org
best-of-security@cyber.com.au
firewalls@greatcircle.com
(You'll probably find the details how to subscribe on their web servers.)
FTP servers:
ftp.cert.org
Some assorted RFC mirror
> I run lpd and other stuff on my machine that connects to the internet.
> All such services need to run in order for my other machines to be
> able to print, and get the drives via NFS and such. Even though
> /etc/hosts.equiv has no entry in it from off my network, I have its
> port blocked to the internet. No one off my net could print as it stands,
> but I don't even allow them to connect.
>
> And if one day some host in peru does need to print on my system, all
> I need to do is to put one new ip firewalling rule in place. No big
> deal.
Actually, that can be a "big deal" if IP spoofing is a serious
problem. Using an old 386 as packet filter can save attacks from some
outside, but punching holes for specific IP addresses can be
dangerous.
That tcpwrapper stuff is nice if you can trust source IP addresses
and/or want to improve host security, but to protect a whole network
against attacks from outside you better use a packet filter.
If you need some virtual network with some machines in Peru you
probably should consider using some crypto tunnel.
> Of course, I run S/key, Ssh and a tripwire too .. but I am in a hostile
> environment.. you may not need to protect against passive eavesdropping,
> or you may not need encrypted sessions, but for the minimum of resources
> that they require, compared to their advantages, I don't see a reason not
> to run them, myself.
S/key is vulnerable to session hijacking, so ssh may be a better
choice. If you use rdist, ssh has the additional advantage that it
allows root to do run it while plain rsh won't.
--
Ben(edikt)? Stockebrand --- Un*x system administrator looking for a job
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?873ehh41z3.fsf>