Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 May 2001 04:34:28 -0700
From:      "Robert L Sowders" <rsowders@usgs.gov>
To:        david@banning.com
Cc:        questions@freebsd.org
Subject:   Re: security question
Message-ID:  <OF6338CD20.41F01407-ON88256A58.003F91DF@wr.usgs.gov>

next in thread | raw e-mail | index | archive | help
<P>Forgive me this is long winded.</P><P>If you want a simple step by step =
setup for a ipf firewall on freebsd-stable try:</P><P>http://www.schlacter.=
dyndns.org/public/FreeBSD-STABLE=5Fand=5FIPFILTER.html</P><P>If you have in=
stalled webmin with the SSL option then you should be safe for remote login=
s.</P><P>Do not trust telnet, or ftp. &nbsp;It is too easy to pick off pass=
words that are transmitted in the clear. &nbsp;Only allow ssh or tunneled p=
rotocols, to pass in from the outside. &nbsp;With the correct firewall setu=
p, outgoing connections of any kind should be ok. &nbsp;I mean it will not =
jeprodize any inside machines, clear text passwords on the outside receivin=
g machines will still be out there for anyone to grab.</P><P>After you have=
 followed the security guidelines from the handbook you are protected from =
95% of the weekend hacker wanna-bees.</P><P>It is not advisable to run a we=
b server behind your firewall and allow connections in from the outside. &n=
bsp;The entire network topolgy becomes complicated in a hurry, and your req=
uired knowledge of things like proxy servers, firewalls, and web servers wi=
ll grow exponentially. &nbsp;If you still insist on doing it this way then =
here goes. &nbsp;If someone discovers a new exploit for your webserver then=
 all your protected machines will be at risk. &nbsp;It is much better to se=
tup a DMZ with two firewalls, and keep all your protected machines behind a=
nother with the web server behind it's own, possibly with a proxy server in=
 front of the web server. &nbsp;This way all incoming connections for the w=
ebserver pass through a firewall which only permits http traffic to the pro=
xy which in turn speaks for the web server. &nbsp;It also has the added ben=
efit of accelerating the web server. &nbsp;This way all web server exploits=
 have to make it past the proxy first. &nbsp;Your protected machines behind=
 the other firewall need to get to the web server itself to update web page=
s, this can be done with a VPN tunnel between the two firewalls.</P><P>The =
firewall in front of your protected machines allows nothing to pass through=
 the firewall that is not asked for by the protected machines and every out=
going packet is NATed so no one can get the ip of the protected machines. &=
nbsp;Hackers are forced to either hack the firewall or induce a protected m=
achine to install a trojan tunnel (usually via infected email attachments).=
</P><P>While there are still ways to drill through firewalls, firewalker co=
mes to mind, you have still put up enough layers of defense that almost 99.=
9% of all sunday hackers will look else where for something easier. (IIS we=
b server perhaps.:-) &nbsp;You would have to have something extremly intere=
sting or valuable to hold someones attention for very long.</P><P>If you go=
t a few bucks you might want to look at http://www.gnatbox.com </P><P>This =
is a firewall and operating system (FreeBSD+IPF) that runs on a floppy. &nb=
sp;You put it in, boot the machine, presto, instant firewall. &nbsp;They gi=
ve it away for home use. &nbsp;They also have a full featured version for 3=
00.00 that has almost everything you could ask for in a firewall. &nbsp;Eve=
n has a stealth feature to make the firewall look like a black hole on the =
internet. &nbsp;All this with a web interface you can manage from the insid=
e.</P><P>Good luck, hope, I've answered most of your questions.</P><P>&nbsp=
;</P><P>&nbsp;<BR><FONT SIZE=3D2><B>David Banning &lt;sky=5Ftracker@yahoo.c=
om&gt;</B></FONT><BR><FONT SIZE=3D2>Sent by: owner-freebsd-questions@FreeBS=
D.ORG</FONT><BR><FONT SIZE=3D2>05/26/2001 03:24 AM GMT</FONT><BR><FONT SIZE=
=3D2>Please respond to david</FONT><BR><BR> <FONT SIZE=3D2>To:</FONT> <FONT=
 SIZE=3D2>questions@freebsd.org</FONT><BR> <FONT SIZE=3D2>cc:</FONT> <BR> <=
FONT SIZE=3D2>bcc:</FONT> <BR> <FONT SIZE=3D2>Subject:</FONT> <FONT SIZE=3D=
2>security question</FONT><BR> <BR><BR></P><P><FONT FACE=3D"Monospace,Couri=
er">I am setting up a small network of Windows desktops that are<BR>accessi=
ng the net through a FreeBSD server. If I disable telnet, ftp,<BR>and every=
thing in inetd.conf leaving only http open, what are my<BR>risks?<BR></FONT=
><BR><FONT FACE=3D"Monospace,Courier">I have webadmin running.<BR>I'd would=
 *like* telnet and shell (rshd) to run, so I can telnet<BR>in. I can't imag=
ine how someone could break in to a system, so<BR>I am pretty lost in asses=
sing this risk.<BR></FONT><BR><FONT FACE=3D"Monospace,Courier">I know SSH i=
s better for telneting in to the server, but then<BR>it has to be on every =
machine that you telnet in from.<BR></FONT><BR><FONT FACE=3D"Monospace,Cour=
ier">When I hear &quot;don't use telnet unless you have to&quot;, I<BR>wond=
er. I know several sites that have telnet where I can login,<BR>and those p=
laces are alot bigger that my little'ol place.<BR></FONT><BR><FONT FACE=3D"=
Monospace,Courier">If I use telnet, is there really such a risk?<BR></FONT>=
<BR><FONT FACE=3D"Monospace,Courier">I'm going all over the place here. May=
be someone could reccomend a good<BR>place to learn about this topic?<BR>I =
started with the FreeBSD Security How-to which is a good starter.<BR></FONT=
><BR><BR><FONT FACE=3D"Monospace,Courier">=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F<BR>Do You Y=
ahoo!?<BR>Get your free @yahoo.com address at <A HREF=3Dhttp://mail.yahoo.c=
om>http://mail.yahoo.com</A><BR></FONT><BR><BR><FONT FACE=3D"Monospace,Cour=
ier">To Unsubscribe: send mail to majordomo@FreeBSD.org<BR>with &quot;unsub=
scribe freebsd-questions&quot; in the body of the message</FONT></P>=

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OF6338CD20.41F01407-ON88256A58.003F91DF>