Re: [Fwbuilder-discussion] question on logging
Brought to you by:
mikehorn
From: Bill C. <Bill@Explosivo.com> - 2005-04-20 22:52:28
|
Well, definately don't take my ideas as gospel. You are gonna find a whole lot of different viewpoints on things. Its what I do, and while I have been doing since... well... a while anyway. Yeah putting any sort of services on the same machine is bad, but of course you have to be realistic about it. If its a home box then its not bad if it gets wiped out someday, but for a corporation, there should be another system that can run apache in a dmz. For example, at home I run dhcp, dns (for internal access only), squid, snort all on my firewall. If you run stuff on yours, look into chroot'ing programs... that will minimize any damage from say apache being compromised. I am not so much worried about apache, but if you let something like PHP run... What dist are you running out of curiosity? On Wed, 20 Apr 2005 18:38:27 -0400 Claude Jones <cla...@le...> wrote: > Though a newcomer, I'm heartened by your post. I haven't done all you suggest, > because this is an experimental box, not a production machine, and I'm using > it to learn. So, I did an everything install. Slowly, over months, as I've > learned, I've been removing things, and turning services off. I'm violating a > major rule I've seen over and over in that my box is both firewall, Apache > web server, dhcp server, does a few little things with mail, and a bunch of > other stuff. But, so far, so good. I have read some hardening docs, and run > multiple port scans. I've started with one of the templates from FWBuilder > who's default rule is block everything, and have added rules to allow only > what I want. So, I'm doing much of what you suggest, I think. Thanks for > taking the time to give your opinion - it was appreciated. -- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: bill@Explosivo.com w. http://www.explosivo.com |