[Asterisk-Users] Gentoo

Joe Greco jgreco at ns.sol.net
Tue Oct 26 14:41:07 MST 2004


> > (Mandrake 10 does a good job of locking down a box. Minus whatever You
> > install
> > and run that might be a liability.)
> 
> RIIIGHT a box is only as secure as the admin of the box makes it... not how
> secure the distro is.  I don't know one linux distro that does it right.

Part of the mistake here is the thinking that much of *anything* should be
running right out of the box.

We offer a special honorary mention to RedHat for their version 6 spectacle
of trivially crackable installs.

Of course, it does help significantly if what's being installed isn't full
of holes to begin with.

OpenBSD (not a Linux distro) gets high marks in this regard, and FreeBSD
hasn't been too bad either.

However, some good rules to live by:

1) Don't enable services you don't need (i.e. *inspect* netstat -an)

2) Firewall the heck out of everything else.  There's almost never a need
   for all of the Internet to reach your ssh or telnet ports, for example.

3) Use detection countermeasures such as tripwire or mtree.

4) Use passive countermeasures such as running your box in securemode and
   making most files immutable.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.



More information about the asterisk-users mailing list