Great Circle Associates Firewalls
(June 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Securing down a box for a firewall
From: Nigel Metheringham <Nigel . Metheringham @ ThePLAnet . net>
Date: Thu, 12 Jun 1997 11:40:15 +0100
To: "Sameer R. Manek" <manek @ challenger . atc . fhda . edu>
Cc: Firewalls @ GreatCircle . COM
In-reply-to: Your message of "Wed, 11 Jun 1997 19:07:47 PDT." 
manek @
 challenger .
 atc .
 fhda .
 edu said:
} I'm curious what is considered striping down a box? I can understand
} the obvious stuff like /usr/games, and maybe a few binaries in  /bin
} and /usr/bin, along with most setuid binaries. Possibly even remove
} the compiler, though compiling on an alternate box is real easy. So
} what can be done? top strip it down?  

Well personally I do this from the other end...
The firewall type boxes I build are based on Red Hat Linux.  This uses a 
fairly fine grained package system based on RPM packages, but you can do 
something similar with other package based systems.

I work my way through all the packages that are part of the normal 
distribution and select which ones I actually want and throw everything 
else out.  I set the install defaults to not install any documentation 
(mainly to reduce the number of excess files around).  I rebuild a number 
of packages (relatively small) to have different defaults, configurations 
or authentication (although with the advent of PAM this last is becoming 
less necessary - all I need is a decent OTP module).  I add some packages 
on for specific functions, and I build a new kernel package with the 
kernel configured as I want (no modules, very small number of necessary 
drivers, anti SYN measures etc...).

Nothing is installed on the box that isn't from a package other than a 
*very* small number of config files - in general you can do
	rpm -qif /some/file

on any file other than the stuff in /tmp and /var/spool and find that it 
belongs to a specific package.

I also install some monitoring stuff including tripwire (yes RPM can do 
package verification, Tripwire does system verification).

As to compilers etc...  I do not install compilers.  However parts of my 
system require perl and I do install that.  If someone is on the box you 
are pretty much shot anyhow...  As much as possible does not run as root 
and is chrooted.

In summary I suggest you design what the box is for, not hack a few things 
off a general purpose box, and you focus everything you install on the box 
to the purpose of the box.

	Nigel.

-- 
[ Nigel .
 Metheringham @
 theplanet .
 net   -  Systems Software Engineer ]
[ Tel : +44 113 251 6012                   Fax : +44 113 224 0003 ]
[            Friends don't let friends use sendmail!              ]
Indexed By Date Previous: Re: Stateful Packet Filters vs. Proxies
From: Benjamin Allan Smith <Benjamin . Smith @ sv . sc . philips . com>
Next: NAT router
From: Thierry Boivin <Thierry . Boivin @ cdc . com>
Indexed By Thread Previous: Re: How to define multiple domain on a name server
From: "Rick Magill" <rsmagill @ nlhc . nf . ca>
Next: RE: Securing down a box for a firewall
From: Greg Witte <gwitte @ us-state . gov>
Google
 
Search Internet Search www.greatcircle.com