Perhaps the MandrakeUser.org Forum site would be better for this but;
I continue to be amazed at the variety of methods to achieve certain goals
with Linux and being a LM user myself I have seen, asked and been subject to,
many questions Re:security .
One of the prime developers of Bastille Linux is now working with Mandrake.
For the last several versions Mandrake has had MSEC which can vary the security
and access protocols to the point that a user can lock themselves out if they aren't
careful.
I kind of like the straight-forward 'custom.sh' under /usr/share/msec.
IP-Chains and now with the newer kernels what is it called "ip-Filtering" or something
similar.
programs such as pmfirewall, portsentry and others are often recommended.
Making "chown jails" is a popular term for some.
These are only a few and I have "dabbled" with variations of these yet still find it
difficult to sus out the realationships.
For instance I recently tried a fairly clean install of LM 7.2 useing "high" but not
"highest" security.
running nmap showed "nada" except for an xsession port open. Installing Bastille and
pmfirewall on
top at different intervals actually showed more ports opening up. My usual method of
portsentry with
rc.firewall/masq/ip-chains seemed to show about the same. Setting up proftpd to only
accept verifiable
users to access helped. Of course ssh2/ssh/openssh and sftp derivations help with some
access issues.
I have used Tripwire on occasion. Then you get into the VPN areas which I am saving
for the next Alaskan Winter,
and the intricacies of the mdkcrypto-kernels!!!!
I have probably spent hendreds of hours over the years messing with different settings
and
still find myself very murky about a lot of what is really going on.
Seeing the output of my log files brings home the fact that there ARE loose cannons
out there
some maliciously and some innocently trying to see who's door they can open and take a
look around.
Every time I subscribe to a List I will get more of these but thats to be expected.
Sometimes I think it would be nice to have (for the command-line-challenged) like
myself;
A Mr Dumb GUI interface with "point and click open and close this or that port" Then
A Mr Dumb GUI examine yourself, similiar to nmap or others.
Installing without X is of course a fine method to those with excellant command-line
talents.
Maybe it makes no sense but all I know is after several years I still cannot and
probably never will;
decide which combo of security protocols are THE ONES. I assume the adage "it works
decently
well for me" is a good one untill the next Security Alert :)
Thanks to all those who might have actually read this far.
I guess its the same with a house or an apartment. Some have no locks or even closed
doors,
while some have million dollar security systems, guards, and attack dogs.
Thanks for listening to my annual discourse.
William Bouterse
Talkeetna, Ak
LM 7.2+
XFree86-4.0.2-4mdk
kernel-2.4.1-16mdk
