Date: Sat, 26 May 2001 04:34:28 -0700 From: "Robert L Sowders" <rsowders@usgs.gov> To: david@banning.com Cc: questions@freebsd.org Subject: Re: security question Message-ID: <OF6338CD20.41F01407-ON88256A58.003F91DF@wr.usgs.gov>
next in thread | raw e-mail | index | archive | help
<P>Forgive me this is long winded.</P><P>If you want a simple step by step = setup for a ipf firewall on freebsd-stable try:</P><P>http://www.schlacter.= dyndns.org/public/FreeBSD-STABLE=5Fand=5FIPFILTER.html</P><P>If you have in= stalled webmin with the SSL option then you should be safe for remote login= s.</P><P>Do not trust telnet, or ftp. It is too easy to pick off pass= words that are transmitted in the clear. Only allow ssh or tunneled p= rotocols, to pass in from the outside. With the correct firewall setu= p, outgoing connections of any kind should be ok. I mean it will not = jeprodize any inside machines, clear text passwords on the outside receivin= g machines will still be out there for anyone to grab.</P><P>After you have= followed the security guidelines from the handbook you are protected from = 95% of the weekend hacker wanna-bees.</P><P>It is not advisable to run a we= b server behind your firewall and allow connections in from the outside. &n= bsp;The entire network topolgy becomes complicated in a hurry, and your req= uired knowledge of things like proxy servers, firewalls, and web servers wi= ll grow exponentially. If you still insist on doing it this way then = here goes. If someone discovers a new exploit for your webserver then= all your protected machines will be at risk. It is much better to se= tup a DMZ with two firewalls, and keep all your protected machines behind a= nother with the web server behind it's own, possibly with a proxy server in= front of the web server. This way all incoming connections for the w= ebserver pass through a firewall which only permits http traffic to the pro= xy which in turn speaks for the web server. It also has the added ben= efit of accelerating the web server. This way all web server exploits= have to make it past the proxy first. Your protected machines behind= the other firewall need to get to the web server itself to update web page= s, this can be done with a VPN tunnel between the two firewalls.</P><P>The = firewall in front of your protected machines allows nothing to pass through= the firewall that is not asked for by the protected machines and every out= going packet is NATed so no one can get the ip of the protected machines. &= nbsp;Hackers are forced to either hack the firewall or induce a protected m= achine to install a trojan tunnel (usually via infected email attachments).= </P><P>While there are still ways to drill through firewalls, firewalker co= mes to mind, you have still put up enough layers of defense that almost 99.= 9% of all sunday hackers will look else where for something easier. (IIS we= b server perhaps.:-) You would have to have something extremly intere= sting or valuable to hold someones attention for very long.</P><P>If you go= t a few bucks you might want to look at http://www.gnatbox.com </P><P>This = is a firewall and operating system (FreeBSD+IPF) that runs on a floppy. &nb= sp;You put it in, boot the machine, presto, instant firewall. They gi= ve it away for home use. They also have a full featured version for 3= 00.00 that has almost everything you could ask for in a firewall. Eve= n has a stealth feature to make the firewall look like a black hole on the = internet. All this with a web interface you can manage from the insid= e.</P><P>Good luck, hope, I've answered most of your questions.</P><P> = ;</P><P> <BR><FONT SIZE=3D2><B>David Banning <sky=5Ftracker@yahoo.c= om></B></FONT><BR><FONT SIZE=3D2>Sent by: owner-freebsd-questions@FreeBS= D.ORG</FONT><BR><FONT SIZE=3D2>05/26/2001 03:24 AM GMT</FONT><BR><FONT SIZE= =3D2>Please respond to david</FONT><BR><BR> <FONT SIZE=3D2>To:</FONT> <FONT= SIZE=3D2>questions@freebsd.org</FONT><BR> <FONT SIZE=3D2>cc:</FONT> <BR> <= FONT SIZE=3D2>bcc:</FONT> <BR> <FONT SIZE=3D2>Subject:</FONT> <FONT SIZE=3D= 2>security question</FONT><BR> <BR><BR></P><P><FONT FACE=3D"Monospace,Couri= er">I am setting up a small network of Windows desktops that are<BR>accessi= ng the net through a FreeBSD server. If I disable telnet, ftp,<BR>and every= thing in inetd.conf leaving only http open, what are my<BR>risks?<BR></FONT= ><BR><FONT FACE=3D"Monospace,Courier">I have webadmin running.<BR>I'd would= *like* telnet and shell (rshd) to run, so I can telnet<BR>in. I can't imag= ine how someone could break in to a system, so<BR>I am pretty lost in asses= sing this risk.<BR></FONT><BR><FONT FACE=3D"Monospace,Courier">I know SSH i= s better for telneting in to the server, but then<BR>it has to be on every = machine that you telnet in from.<BR></FONT><BR><FONT FACE=3D"Monospace,Cour= ier">When I hear "don't use telnet unless you have to", I<BR>wond= er. I know several sites that have telnet where I can login,<BR>and those p= laces are alot bigger that my little'ol place.<BR></FONT><BR><FONT FACE=3D"= Monospace,Courier">If I use telnet, is there really such a risk?<BR></FONT>= <BR><FONT FACE=3D"Monospace,Courier">I'm going all over the place here. May= be someone could reccomend a good<BR>place to learn about this topic?<BR>I = started with the FreeBSD Security How-to which is a good starter.<BR></FONT= ><BR><BR><FONT FACE=3D"Monospace,Courier">=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F<BR>Do You Y= ahoo!?<BR>Get your free @yahoo.com address at <A HREF=3Dhttp://mail.yahoo.c= om>http://mail.yahoo.com</A><BR></FONT><BR><BR><FONT FACE=3D"Monospace,Cour= ier">To Unsubscribe: send mail to majordomo@FreeBSD.org<BR>with "unsub= scribe freebsd-questions" in the body of the message</FONT></P>= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OF6338CD20.41F01407-ON88256A58.003F91DF>