Date: Fri, 10 Aug 2001 11:30:47 +0200 (CEST) From: =?iso-8859-1?q?m=20p?= <sumirati@yahoo.de> To: Keith Spencer <bsd2000au@yahoo.com.au>, crimsun@email.unc.edu Cc: freebsd-questions@freebsd.org Subject: Re: Help advice needed! ->Re: Yep-I been hacked! Message-ID: <20010810093047.98507.qmail@web13304.mail.yahoo.com> In-Reply-To: <20010809225243.35195.qmail@web12007.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Keith Spencer <bsd2000au@yahoo.com.au> schrieb: > Hi Marc and all > I am grateful to all for the feedback. These cracking > idiots are a pain and waste my valuable time! Like the time of everyone else. > Some advice please. What if I.... > * Build a separate firewall machine ( I have one to > use) which is only that using IPFW. Building a harded bridging/routing host for the borders of your network(s) is always a good idea. > * Have my existing dns/web/mail/ftp/router on a > separate machine with dual network cards...one > attached to the Lan and one attached to the firewall > computer. The conecpt that most people are using today is named "Bastion Host". That means a host (or bundle of machines) that are doing proxying (not allowing / controlling which content/service can be accessed), packet filtering (blocking unwanted connections to ports where people don't have to go), reporting tools (that you know whats going on) .. and much more. This concept is called "Firewall". So perhaps you want to instal more than only a packet filter (that is what IPFW is - an IP firewall). Try squid for example, or another proxy you heard about / have knowledge about. And try the FWTK (Firewall Tool Kit from tis.org - classic but good). Take the machine you don't need at the moment and put _three_ NICs into it (If you have not enough, take one from your "all-purpose server"). One NIC will go to the outside, one to the inside and the third will _only_ go to your "all-purpose server". Then take a look at daemonnews where an artikel was posted: http://www.daemonnews.org/200103/firewall.html Or other articles like these: http://www.daemonnews.org/200108/security_overview.html http://www.daemonnews.org/200108/security-howto.html They will give you an idea - and you have to _think_ about security. Every time. > > OR > simply setup IPFW on the existing router > With a web-/mail-/dns-/ftp-server on it? Think again. If you think "yes" go back two sentences. :) > > With option 1, how do I disable or restrict all > compilers and ability to run scripts etc or whatever I > need?? Don't install any compiler. If some are install delete/remove them, move them to a directory and burn this to CD-R so that you can access them if you need them. You may want to lookup login.conf for some parameters (eg how much process can be run parallel). (It will be in the user home directory) > I presume I need to include rules to allow mail web > etc requests to pass. The Freebsd docs has a section > on firewalls, will this be a sufficient set to let my > standard services run..e.g. mail to get out & in and > http requests in from the world to apache? If this procedure will be sufficent is depending on what data do you need to save? Private one? Or a whole company? How much data lies on these outside components? Read the articles above and perhaps buy the book "Building Internet Firewalls" from Chapman / Zwicky and others - the classic one. Then develop your own rules. Just my two cent Marc __________________________________________________________________ Do You Yahoo!? Gesendet von Yahoo! Mail - http://mail.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010810093047.98507.qmail>