[plug] LAN security

Trent Lloyd trent at ucc.gu.uwa.edu.au
Sun Jun 9 21:59:28 WST 2002


On Sun, Jun 09, 2002 at 08:38:24PM +0800, Leon Brooks wrote:
> On Sun, 9 Jun 2002 18:06, Richard wrote:
> > Just a general question. I am about to set up apache, squid and bind
> > (and possibly an ftp server) on our home LAN, and I was wondering
> > whether to set them up on the Internet gateway machine or one of the
> > hosts behind the gateway, from a security perspective. Apache (and ftp)
> > will be visible to the wider Internet as well as the LAN. Any thoughts,
> > or good sites anyone could point me to?
> 
> KISS. Put it on the gateway.
> 
> If worried, jail the offending services. Do use the latest version of 
> everything (BIND 9.2.1, OTToMH, Apache 1.3.24, ProFTPd at least 1.2.5, Squid 
> 2.4STABLE4). Use iptables filtering to block all incoming except replies to 
> outbound, plus those services, plus ICMP.
>

Just in case you don't know, jailing is by using a 'chroot' jail which
makes / appear as /some/dir to the programs running, therefor if someone
owned your 'box' they would only own your 'jail' and nothign else will
be affected, as /etc/passwd is not /etc/passwd its
/services/jail/etc/password, hence it dont matter

> Cheers; Leon
> 



More information about the plug mailing list