On Mon, 2004-07-26 at 09:54, Jim Higson wrote: > > Can you harden a linux system as good or better than a cheap hardware > > firewall, you may be able to today, someone new maybe not. > > Well, there's always firewall-specific distros - smoothwall and the like. I'm > pretty sure a newbie could work out how to set up a hardened Linux network in > less than 10 minuites with a Smoothwall CD. Ok, that's slightly cheating > because it's turning an old computer into a cheap hardware firewall. > Good points. But how many newbie's have spare equipment laying around and know about smoothwall day one? I did not. There was a learning curve that we all climb at our own speed. As you learn more you change your system to use new things. When you setup a second system you probably set it up differently that you did the first system due to what you have learned. > Besides, I've always thought the default security with Redhat/Fedora was > pretty good. Just not selecting any services to let through the local > firewall in the graphical installer should be good enough. It is good if you leave it at its highest settings, no ssh, no ftp, etc through the firewall, block everything. But many people want to access their shiny new linux box using samba or ftp or telnet or ssh. Those get punched through early on so they can access other systems on their LAN or share a directory with that windows machine. If they have a spare box to configure as a firewall great. If not a cheap hardware router does a great job with a lot less fuss and probably more securely than a first time implementation of smoothwall. And like I said before poor passwords are more of a problem that most other things. I seem to recall a thread in this very group talking about how to setup a system WITHOUT any passwords at all. I just shudder at the thought. I ran a program once on a Vax 11/780 which was able to crack something better than 60% of the passwords on that system. (I was system admin at the time and I had informed my boss what I was doing....) Was kind of funny when I went to my boss and told him to change his password since he had selected a poor one. And setting up a layered defense makes it more difficult to identify and hack systems from external connections. This is one of the reasons most companies implement DMZs which separate Internet facing systems from internal LANs. But that is straying from the discussion. :) -- Scot L. Harris webid@xxxxxxxxxx The older a man gets, the farther he had to walk to school as a boy.