Re: [Fwbuilder-discussion] question on logging

[Bill C. <Bill@Explosivo.com>]

Well, definately don't take my ideas as gospel.  You are gonna find a
whole lot of different viewpoints on things.   Its what I do, and while
I have been doing since... well... a while anyway.

Yeah putting any sort of services on the same machine is bad, but of
course you have to be realistic about it.  If its a home box then its
not bad if it gets wiped out someday, but for a corporation, there
should be another system that can run apache in a dmz.

For example, at home I run dhcp, dns (for internal access only), squid,
snort all on my firewall.  If you run stuff on yours, look into
chroot'ing programs... that will minimize any damage from say apache
being compromised.  I am not so much worried about apache, but if you
let something like PHP run...

What dist are you running out of curiosity?





On Wed, 20 Apr 2005 18:38:27 -0400
Claude Jones <cla...@le...> wrote:

> Though a newcomer, I'm heartened by your post. I haven't done all you suggest, 
> because this is an experimental box, not a production machine, and I'm using 
> it to learn. So, I did an everything install. Slowly, over months, as I've 
> learned, I've been removing things, and turning services off. I'm violating a 
> major rule I've seen over and over in that my box is both firewall, Apache 
> web server, dhcp server, does a few little things with mail, and a bunch of 
> other stuff. But, so far, so good. I have read some hardening docs, and run 
> multiple port scans. I've started with one of the templates from FWBuilder 
> who's default rule is block everything, and have added rules to allow only 
> what I want. So, I'm doing much of what you suggest, I think. Thanks for 
> taking the time to give your opinion - it was appreciated. 


-- 

Bill Chmura
Director of Internet Technology
Explosivo ITG
Wolcott, CT

p: 860.621.8693
e: bill@Explosivo.com
w. http://www.explosivo.com