In addition to what seems to be a reasonably thorough security effort,
try installing djbdns and kicking out BIND. Use postfix, not sendmail,
disable telnet/ftp (but you know these last three). I had this idea
for my network, what do people think:
Using kernel 2.4, it should be far easier to implement a fairly tight
application proxy firewall. You can redirect all packets going to a
particular port number outside the network to a particular port number
on your machine. Very useful. I need to be able to force all email
through our system. There it can be scanned for viruses in both
directions, stripped of bad attachments (e.g. vbs, if I so wish). If
necessary and under strict circumstances, I can implement mail
monitoring on a per-account basis. I can prevent staff mis-using the
mail facilities for spamming. They can access another machine outside
the network (e.g. telnet or ssh, then jump from there) or they can use
a hotmail account, but they cannot send from the network.
The same can be said for web browsing. I can force all http traffic
through the web proxy. Not for purposes of filtering (it doesn't
work), more because it optimises the dialup connection's bandwidth to
proxy things, allows us to implement per-workstation monitoring (if
necessary) and ACLs for browsing the internet.
What do people think? Is this feasible using kernel 2.4? From my
reading of articles on SecurityPortal it is, but I could be wrong. I
have one more question: does NetFilter include user-based rules? I
mean allow this user through, but not that one, log this user but not
that one, if unusual traffic comes through, log the traffic *and* the
user. This would be extremely useful and already exists in commercial
firewalls.
Oh - and to pre-empt anyone that is against the notion of monitoring
users at work: I would be happy to argue in a separate thread, but not
this one. But to be brief:
The network belongs to a charity. We pay for dialup time at peak rate,
so mis-using that is stealing from the charity. As for mail, all mail
sent needs to be logged anyway. It is a document relating to clients
of the charity and therefore falls under the Data Protection Act
(United Kingdom) - they need to be able to ask to see all
correspondance. Therefore all email will be logged. Lastly: the
charity has a comparatively small budget. There have been problems
from time to time with mis-use of resources. This will put a stop to
that.
Anyway, I'm not interested in all that. Technically speaking, how
feasible is this under 2.4?
tom
