Is my computer safe enough if I use just iptables?

Scot L. Harris webid at cfl.rr.com
Fri Oct 15 14:58:33 UTC 2004


On Fri, 2004-10-15 at 09:40, VJ wrote:
> Scot,
>   Thanks a lot for your advice. I am now thinking whether I should go for
> some boxed firewall or not. I used to think Linux was secure enough. I
> have my IPtables DROP by default and just opening the required holes
> (HTTP and SMTP) to let these services be used from outside world. I do
> not let my family login as root. Only I am the boss of the machine. The
> only reason I got a bit worried was that I am using this machine as my
> development/tinkering/playing(MythTV etc) machine + FIREWALL, with other
> machine (XP) being used by my wife.
> 
>   I have tested my firewall using Sygate's online Firewall test and also
> the same from Symantec. Both seemed to say my system was OK but then
> suggested their own firewall software (which I dismissed as a sale
> gimmick).
> 
>   I am still a bit confused, so I will do more research.
> 

I think one of the cheap hardware firewalls would be a good idea in your
case.  As you are doing development work you could inadvertently open
your system up and not even realize it.

Most of these firewalls (linksys, netgear, etc) can be purchased for as
little at $50.  You may be able to find them even cheaper on line.  You
also get the added benefit of being able to have multiple systems on
your local LAN share the Internet connection.

You might also look for information such as

http://linux.box.sk/newsread.php?newsid=775 

which discuss how to harden a linux system.  

I don't agree with everything in that link but much of it is great
advice.

You may also want to look at the http://www.bastille-linux.org project. 
Not sure how up to date it is but they had some great stuff a while
back.

The best thing to do is think of defense in depth.  Have a decent
firewall at the front but if possible run firewalls on each system. 
Disable unneeded or unused services.  Run tripwire or something similar
to notify when critical files get changed.  Run chkrootkit or rkhunter
to scan for known root kits.  Use http://grc.com to scan your external
system.  Run virus scanning software on any windows box.  If using your
linux box as a MTA for windows systems run clamav or one of the other
virus scanning packages.  Keep an eye out for security issues in bugtraq
and fedora announcement lists.  Disable telnet, ftp, use ssh and scp
instead.  Disable root from logging in directly and restrict what users
can log in remotely to your system.

There a lot of good resources out there.  But the best thing is to be
really paranoid.  Because they are out to get you!  :)


-- 
Scot L. Harris
webid at cfl.rr.com

No yak too dirty; no dumpster too hollow. 




More information about the fedora-list mailing list