[plug] LAN security
Richard
wpickett at iprimus.com.au
Mon Jun 10 01:34:26 WST 2002
On Sun, 2002-06-09 at 21:59, Trent Lloyd wrote:
> On Sun, Jun 09, 2002 at 08:38:24PM +0800, Leon Brooks wrote:
> > On Sun, 9 Jun 2002 18:06, Richard wrote:
> > > Just a general question. I am about to set up apache, squid and bind
> > > (and possibly an ftp server) on our home LAN, and I was wondering
> > > whether to set them up on the Internet gateway machine or one of the
> > > hosts behind the gateway, from a security perspective. Apache (and ftp)
> > > will be visible to the wider Internet as well as the LAN. Any thoughts,
> > > or good sites anyone could point me to?
> >
> > KISS. Put it on the gateway.
> >
> > If worried, jail the offending services. Do use the latest version of
> > everything (BIND 9.2.1, OTToMH, Apache 1.3.24, ProFTPd at least 1.2.5, Squid
> > 2.4STABLE4). Use iptables filtering to block all incoming except replies to
> > outbound, plus those services, plus ICMP.
> >
>
> Just in case you don't know, jailing is by using a 'chroot' jail which
> makes / appear as /some/dir to the programs running, therefor if someone
> owned your 'box' they would only own your 'jail' and nothign else will
> be affected, as /etc/passwd is not /etc/passwd its
> /services/jail/etc/password, hence it dont matter
>
> > Cheers; Leon
> >
>
Many thanks to both of you. I never knew what chroot was before, but tracking
it down, I've found a lot of good security related material.
More information about the plug
mailing list