Firewall - Very limited Access - suggestions
Guy Fraser
guy at incentre.net
Mon May 31 16:17:14 UTC 2004
Kevin F. Berrien wrote:
> I know what you mean, also given the security requirements of this
> installation. I was thinking of using a GUI, and reviewing the
> firewall script. I've got that good Linux Firewalls text to read up on.
Hi
Hardening the bastion host is more than just firewall rules.
If I were building a bastion host on FC2 I would also read up on
SElinux. I believe that the extensions are already built into the
kernel and I have seen some configuration apps somewhere.
With the SElinux extensions it is possible to restrict access to
commands so that root is no longer able to gain access to everything
on the system. You can have another more obscure username/uid that has
more access rights than root. If possible you may want to have another server outside the bastion host, that provides your DNS and other
"public" services {mail,web}.
A few years ago I set up a bastion host. Although it is in convenient
I configured it so that there was no remote access to the machine
and root was not able to log in directly from any console. Further security included a locked case, no floppy, no CD, and USB disabled
in BIOS.
I don't know if it is good or bad, but the administrator left on bad
terms and nobody could get into the machine to change passwords. They
found the key, and installed a CD drive then Win 2000. They decided
that having a technically inclined person to maintain their systems
was too expensive. I have already had to shut down their connection
once due to open relay complaints, it cost them more to have an
"expert" fix there machine than I would have charged to maintain
their bastion host for a year.
Hope all goes well.
More information about the fedora-list
mailing list