mailing list archives
Re: big security questions the deny access guy return
From: "John R. Morris" <jrmorris () nerdality com>
Date: Mon, 06 Dec 2004 21:50:04 -0500
Carlos Garcia wrote:
Well am a newbie in this area, but it seems that i have created a really
revolution in the list with my deny access question well as far as i
see you are a great folks that really want to help well i have a lot
of question about security so i really need your help
Sure, I'll try to help.
first of all i want to change the services that run in our network i
have red hat running in 3 servers one server have the dns1 the other
have the dns2 webmail and mail the third one have squid for cache and
proxy and an iptables based firewall the last one have the webmail
running with zeus on irix so i really wan to make this servers with
new services and as secure as posible so first question
Putting bind in a chrooted jail is a good idea. As for versions, use the
about dns what bind do you recomend and how can i protect it i would
like to install snort to see if somebody is trying to attack in my
server so should i use bind 8 or bind 9 and should i use a chrooted
schema or not? what other security risk do i have to address?
Either Bind 9.24 or 9.30 (I recommend 9.24 unless you need the new
features from 9.30)
Here's a how-to on running Bind under Linux in a chrooted Jail:
And some good configuration options for securing BIND servers:
Those should give you some ideas as to how best to implement DNS
securely at your site, Google can of course turn up many more tutorials
and information should those prove insufficient.
about mail i was thinking in using postfix in place of sendmail is
this a good idea? for gathering mail i was thinking in cyrus-imap and
authentication tools but what would recomend me?
Postfix is easier to administer & configure and has less of a troubled
past security-wise than Sendmail. I cut my teeth on Sendmail, and I'm so
deeply accustomed to writing m4 macros for it now that I haven't really
made the switch, but if you aren't heavily invested in using Sendmail
for any reason, it's probably a saner and better choice.
Again, Cyrus-IMAP is good, and puts a lot more effort in my opinion into
large scalability issues than UW's implementation, however I prefer UW.
Either one, coupled with TLS/SSL for auth all around (both for IMAP and
on the MTA side, SMTP+Auth to send is good). Don't forget to add in
things Clam AV http://www.clamav.net/ and Spam Assassin,
http://spamassassin.apache.org/, grab Procmail while you're at it, too,
if it's not included by default, some users just won't feel at home
Using snort on every server seems entirely excessive to me. Having snort
in place on a SPAN port on it's own server as a central NIDS seems much
more effective than using a bunch of instantiations of snort on each
host for HIDS. Instead I think it's preferable to use the available
IPtables, TCPWrappers, Inetd/Xinetd and so on to secure the box as much
as possible from remote access, turn off unneeded services, and then
make use of things like tripwire to keep an eye on the local files and
should i use snor in every server or just one ?
iptables are good enough? and i have a lot more question but can we
start with this ones? oh a last one somebody of the list says that it
is not a good idea to use the router as firewall is this write? why?
Definitely consider having a central syslog server and logging from all
your hosts to there, as well as from your routers & switches. Lire is a
great companion to syslog (and other logs as well, like Apache):
Finally, as I was the one (or one of the ones) who said not to use your
router as a firewall, I will elaborate a bit:
Routers should have ACL rules in place to prevent bogus traffic (RFC
1918 addresses, etc), spoofed addresses pretending to be from your
network, etc. That's usually referred to as ingress/egress filtering. In
addition, it can also effectively be used to limit some protocols to the
LAN or to a given VLAN if desired.
Since routers do not in their pure form do any stateful inspection of
packets, blocking things in ACL, like high numbered ports is not a good
thing to do. A router that does stateful packet inspection has in
reality become a firewall as well, and the objection is no longer valid.
Here are some references explaining all of this in more detail, and
better than I could:
Essentially, yes, you can filter on the router, but it's mostly not
stateful (doesn't keep track of the connection state), excepting things
like reflexive ACLs. This brings up 2 major issues, 1 is that it is
easier to get through a router's ACLs than a full-on firewall, and 2,
improper attempts to use a router as a firewall can lead to random
Example, you block incoming Windows RDP(TCP 3389). Someday you ssh in to
a server of yours and your client grabs 3389 (it's higher than 1024 so
it's usually not bound unless that host is already using it) to talk on,
and voila! you router starts dropping your packets. Now instead of you,
imagine it's one of your users, who then complains and has you spend
time figuring out why the network is broken. That's my understanding of
So stateless router ACL is limited to services on ports below 1024, and
of less total effectiveness and usefulness than a full on IPtables
firewall (or PIX, or Checkpoint, etc).
Other than that, my personal preference is to use Debian over Redhat. In
any case, make sure all your hosts keep up to date on patches. Irix is
quite a nice Unix, but inst is not my favorite package manager, whether
you can switch to running a Linux server instead is up to you.