l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2005 May 30 22:24

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] Basic security issues
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] Basic security issues



Long story short:  last week I ran nmap from my Linux box at work to check for 
open ports on my home network.  One of the ports nmap scanned was 31337.  
Because that's the port that Back Orifice uses, our department's IT -- a 
Microsoft zealot -- decided that someone was trying to hack into our network 
to use Back Orifice on one of our systems.  After demonstrating that because 
the 31337 scan was directed at my own machine and because it coincided 
precisely with the time that I was running nmap and that my home machine is 
not vulnerable to Back Orifice anyway, the IT guy has still decided that 
because of this I should not be allowed to use a Linux workstation at my desk 
(despite the fact that I maintain two Solaris servers and two Linux servers 
as part of my job).  For sanity's sake, I did run a full chkrootkit and 
system log scan on my machine just to make sure it hadn't been compromised.

So just because I'm cantankerous, I want to demonstrate that using a laptop 
running Linux is better for our network than a desktop running Windows.  I've 
already disabled all non-essential services, including sshd.  What other 
steps could I take?  I'm thinking about using IPTABLES to block all outbound 
traffic on ports other than 21, 22, 80, and 110.  And I wonder if it's 
possible to allow traffic on those ports to specific destinations only; for 
example, to allow port 22 to connect only to my home machine and to the 
servers I maintain here at work, or to allow 21 to connect only to our 
hosting provider (who allows only FTP access to our files).  None of this is 
necessary, of course, but, as I said, I'm cantankerous and I have a point to 
prove, dammit.

What are your thoughts?  Suppose this were a Linux laptop that you'd give to a 
company employee?  What services and ports would you allow on it?

-- 
Richard S. Crawford
http://www.mossroot.com

Attachment: pgp00012.pgp
Description: PGP signature

_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.