[Gllug] bastille/firewall confusion

Pete Ryland pdr at pdr.cx
Mon Jan 27 11:12:08 UTC 2003 

On Sun, Jan 26, 2003 at 10:37:18PM +0000, Branden Faulls wrote:
> With the emergence of the recent worm I've had a closer look at my 
> security.  My debian box is running the Bastille scripts and should be 
> logging all connection attempts.  However, having run an nmap scan from 
> a security website, numerous ports are visible and open on the report. I 
> also fail to find mention of denied connections in /var/log/syslog and 
> /var/log/kernel.
> 
> I have removed most services, telnet is of course gone, however things 
> like exim(smtp25) and nfs I need to use locally.  I've worked myself 
> into a panic, stupidly, over this and could use guidance.  Am I looking 
> in the right logs?  Should I scrap Bastille and, painstakingly, rewrite 
> my ipchains?  Should I worry less?  The Debian security handbook is only 
> getting me so far.

I'm not familiar with the Bastille scripts.  However, are you sure that they
are being applied?  Have you tried to view the live configuration?  What
does "ipchains -L -v" give you?  You may wish to remove any identifying IPs
in the config if you aren't confident about it.

It's also quite possible that it is not actually logging everything that
gets blocked, or you may not have the logging kernel module loaded perhaps.

As for being too worried, well, some would say you can't be too worried, but
I would just say take note of security announements (at least subscribe to
debian-security-announce if you haven't already) and take steps to make sure
your system is not vulnerable to known attacks.  Anyway, NFS is certainly
something you don't want accessible on public networks.  It's pretty much
insecure by design, which should be remembered even on private networks
where you may have untrusted nodes connected (do you really trust that temp
receptionist, or even that work experience kid?).

> Other considerations, the box in question is a dialup box masquerading 
> for the rest of my home network.

At least part of the configuration is working then. :)

Actually, have you considered using iptables instead?  Given that it
obsoleted ipchains back in about 1999... :)

Pete
-- 
Pete Ryland
http://pdr.cx/

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list