should i bother??

[James Mckenzie]

Scot Harris said about shout i bother??
>
>Don't rely on a hard candy coating to keep all the hackers at bay. 
>Harden the inside of your system whenever possible.  Layered defense is
>always better.  

You said this so well.  I always look at a patch to see if it addresses security or just to give additional capabilities or if it is a bug fix.  If it is a security patch, it gets installed.  Of course, this may introduce other security problems or possible problems.  If it gives additional capabilities, I look to see if I can exploit those capabilities.  If it is a bug fix, I look (again) to see if I use the capability that the bug fixes.
>
>dedicated firewall--->
(network address translation from a public IP to a private network is always advised here)
You also forgot to add a network sniffer such as SNORT to keep track of who is trying to do what to your firewall
>(limited ports passed through (if any)
Mostly on the inbound leg is where folks block.  You should also block known outbound troublemakers just in case someone gets through to your private network
--->firewall on server (limited services allowed through)---->
This is not as important as keeping up the network firewall.  Also, only known outbound services should be able to talk on the network
>disable all unneeded services------>
This is definately a must.  If you don't have Windows file shares on your network you don't and should not have SAMBA enabled for instance.  If you are not sharing Network assets between UNIX/LINUX boxes you should not be running NFS.  It is quite interesting that CUPS is open to the world upon installation and I use a firewall to block its ports and restricted it to localhost only.
>keep system patches up to date ------>
This is a must.  First line of defense is having a system with all know vulnerabilities closed/patched.  This is how the MS Blast worm got through.  The patch was released for over six months before the worm was released.
>run tripwire------>
A good idea.
>run chkrootkit ------->
Or any other root kit program.  I run root kit hunter as a daily cron job.
>monitor log files ---->
FC3 mails them to you on a daily basis.  Read your root mail...
>use screen savers to lock terminal session ----->
Yep.
>use good passwords ----->
Strong passwords of random letters, with at least two numbers and two special characters for all accounts, definately root.  
>change passwords ----->
Change them at least every three months, monthly if it is an active system.  Change all passwords if a user password is 'lost'.  If a user comes to you to change a password, think real hard about asking all user's to change.  Definately change root's.
>don't use the same password on multiple systems----> 
Never use the same password for root on several systems.  Do not use an old root password for root on another system.
>disable root login on ssh -----> 
This is easy and is the default for FC3.
>don't use telnet or ftp 
Never use a protocol that sends a user's password as cleartext.  Use ssh/scp/sftp.

You missed a real good security tip.  Only allow those who need physical access to the server.  Keep your server in a secure area behind a locked door.  You would be surprized what happens.  If you can, disable console logon to your server and allow only ssh logins.  This is what saved a company's reputation. 

>Keep shotgun handy along with several watch dogs......
Hmmm. This seems to be a little overboard, but both system and physical security is a must for any server system.



James McKenzie
A Proud User of Linux!