Date: Wed, 18 Feb 1998 00:00:24 -0500 (EST) From: mgraffam@mhv.net To: Louis-Philippe Alain <xenub@boisfrancs.qc.ca> Cc: questions@FreeBSD.ORG, isp@FreeBSD.ORG Subject: Re: Books on security Message-ID: <Pine.LNX.3.96.980217234042.3140A-100000@localhost> In-Reply-To: <199802180419.XAA05341@mail.boisfrancs.qc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 17 Feb 1998, Louis-Philippe Alain wrote: > Hi, > I would like to have some suggestions for books about Network Security, > how to secure an Internet Server, etc... > Hmm, well my first suggestion would be to read "Practical UNIX and Internet Security" by Garfinkel and Spafford. After that, there is a book called "Internet Security" (forget the author's name, and I don't have my copy around, sorry). Reading these books won't do much good though unless you follow up for you specific system. That is, read the CERT warnings, read through the 8lgm archives, check out www.rootshell.com etc. Before I install any piece of software on my system, I search these archives looking for trouble spots. Generally speaking, as far as running network daemons .. if you don't need it, get rid of it. If you do need it, firewall the ports against all hosts that don't need to access it. Remember that the deny and allow files are for tcpd only, if the process runs outside of tcpd it is vunerable. As an illustration.. I run lpd and other stuff on my machine that connects to the internet. All such services need to run in order for my other machines to be able to print, and get the drives via NFS and such. Even though /etc/hosts.equiv has no entry in it from off my network, I have its port blocked to the internet. No one off my net could print as it stands, but I don't even allow them to connect. And if one day some host in peru does need to print on my system, all I need to do is to put one new ip firewalling rule in place. No big deal. Of course, I run S/key, Ssh and a tripwire too .. but I am in a hostile environment.. you may not need to protect against passive eavesdropping, or you may not need encrypted sessions, but for the minimum of resources that they require, compared to their advantages, I don't see a reason not to run them, myself. Michael J. Graffam (mgraffam@mhv.net) http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc "Two things fill the mind with ever new and increasing admiration and awe the more often and steadily we reflect upon them: the starry heavens above and the moral law within me. I do not seek or conjecture either of them as if they were veiled obscurities or extravagances beyond the horizon of my vision; I see them before me and connect them immediately with the consciousness of my existence." - Immanuel Kant "Critique of Practical Reason" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.96.980217234042.3140A-100000>