Hack attempts

Scot L. Harris webid at cfl.rr.com
Mon Jul 26 14:23:08 UTC 2004 

On Mon, 2004-07-26 at 09:54, Jim Higson wrote:
> > Can you harden a linux system as good or better than a cheap hardware
> > firewall, you may be able to today, someone new maybe not.
> 
> Well, there's always firewall-specific distros - smoothwall and the like. I'm 
> pretty sure a newbie could work out how to set up a hardened Linux network in 
> less than 10 minuites with a Smoothwall CD. Ok, that's slightly cheating 
> because it's turning an old computer into a cheap hardware firewall.
> 

Good points.  But how many newbie's have spare equipment laying around
and know about smoothwall day one?  I did not.  There was a learning
curve that we all climb at our own speed.  As you learn more you change
your system to use new things.  When you setup a second system you
probably set it up differently that you did the first system due to what
you have learned.

> Besides, I've always thought the default security with Redhat/Fedora was 
> pretty good. Just not selecting any services to let through the local 
> firewall in the graphical installer should be good enough.

It is good if you leave it at its highest settings, no ssh, no ftp, etc
through the firewall, block everything.  But many people want to access
their shiny new linux box using samba or ftp or telnet or ssh.  Those
get punched through early on so they can access other systems on their
LAN or share a directory with that windows machine.

If they have a spare box to configure as a firewall great.  If not a
cheap hardware router does a great job with a lot less fuss and probably
more securely than a first time implementation of smoothwall.  

And like I said before poor passwords are more of a problem that most
other things.  I seem to recall a thread in this very group talking
about how to setup a system WITHOUT any passwords at all.  I just
shudder at the thought.  

I ran a program once on a Vax 11/780 which was able to crack something
better than 60% of the passwords on that system.  (I was system admin at
the time and I had informed my boss what I was doing....)  Was kind of
funny when I went to my boss and told him to change his password since
he had selected a poor one.  

And setting up a layered defense makes it more difficult to identify and
hack systems from external connections.  This is one of the reasons most
companies implement DMZs which separate Internet facing systems from
internal LANs.  But that is straying from the discussion.  :)

-- 
Scot L. Harris
webid at cfl.rr.com

The older a man gets, the farther he had to walk to school as a boy.

More information about the fedora-list mailing list