Kevin F. Berrien wrote:
I know what you mean, also given the security requirements of this installation. I was thinking of using a GUI, and reviewing the firewall script. I've got that good Linux Firewalls text to read up on.
Hi
Hardening the bastion host is more than just firewall rules.
If I were building a bastion host on FC2 I would also read up on SElinux. I believe that the extensions are already built into the kernel and I have seen some configuration apps somewhere.
With the SElinux extensions it is possible to restrict access to commands so that root is no longer able to gain access to everything on the system. You can have another more obscure username/uid that has more access rights than root. If possible you may want to have another server outside the bastion host, that provides your DNS and other "public" services {mail,web}.
A few years ago I set up a bastion host. Although it is in convenient I configured it so that there was no remote access to the machine and root was not able to log in directly from any console. Further security included a locked case, no floppy, no CD, and USB disabled in BIOS.
I don't know if it is good or bad, but the administrator left on bad terms and nobody could get into the machine to change passwords. They found the key, and installed a CD drive then Win 2000. They decided that having a technically inclined person to maintain their systems was too expensive. I have already had to shut down their connection once due to open relay complaints, it cost them more to have an "expert" fix there machine than I would have charged to maintain their bastion host for a year.
Hope all goes well.
