chesty wrote:
>
> We had our linux firewalls audited and I wanted to get some opinions on some
> of the issues raised.
>
> We were advised to turn sshd PasswordAuthentication off because it allows
> clear text passwords.
> hey? That doesn't sound right.
pass
>
> Mount partitions read only where possible.
> I guess this is a good idea, but in what situation would this add security?
> You need to be root to be able to write to the partitions that I could mount read
> only, and if someone gets root, they can remount partitions read write.
For a firewall, you want to prevent anyone being able to fiddle with it
and one way is to prevent people writing to it is to make it read only.
Tricks like Remote logging, temporary files in ram, boot off CD, etc
have all been covered in Slug archives.
>
> Remove man pages.
> Again, I can't see the harm in doing this, but I can't see the point.
If you don't know what to do, why are you fiddling with box. Basically,
if someone gets in, man pages help them know the particular variety of
your box. Just makes it harder for script kiddies, dorfs, staff wanting
to create ICQ holes, etc to fiddle.
>
> Remove unnecessary binaries.
> A good idea no doubt, but the firewall doesn't allow shell access, and the
> way I see it is if someone gets shell access they can upload their own bin's.
Yes, but they still have to upload them, which takes time, which
increase the chances of discovery, etc. If you don't need it, then it
shouldn't be there.
>
> It doesn't mention it in the report, but would mounting /home, /tmp and /var with
> noexec help? It might stop a non root user from running their own programs, but it
> won't stop root.
Are we talking about a firewall or what.
There shouldn't be any users on the firewall.
You want a firewall that has the absolute minimum on it. Just enough to
run the firewall stuff.
--
Terry Collins {:-)}}} Ph(02) 4627 2186 Fax(02) 4628 7861
email: [EMAIL PROTECTED] www: http://www.woa.com.au
WOA Computer Services <lan/wan, linux/unix, novell>
"People without trees are like fish without clean water"
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
