That's pretty much what I have. Thanks for making me feel a bit more secure. Munir Nassar wrote: > > On Sat, 1 Jun 2002, Wayne Johnson wrote: > > > Hmmm. I just set up a system, tell it to reject packets for all ports > > I'm not using especially telnet, ftp, and the other usual suspects. > > Guess I've never heard of gShield. Am I being naive? Should I be > > looking into a bit more protection. > > The best protection money can buy is to disconnect the network cable > > short of that it is just playing a game of how much you can/will > compromise... > > for me i start with dropping all packets, it makes the firewall more > "stealthy" and it causes an nmap to scan for a long time because it has > to wait for the connections to timeout, but violates RFCs... > > thyen i open the ports for the services that i need, SSH, IMAPS, HTTP, > HTTPS, DNS and so forth. It is highly recommended that you sections off > your network into seperate parts with strict ACLs but that is just too > much of a headache for my small network > > next install portsentry and have it drop all connections from the bastard > who tried to scan you... > > that is just for the network, internally you should setup some shit like > tripwire and make sure you update your packages regularly, > > -munir > > _______________________________________________ > Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota > http://www.mn-linux.org > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list -- Wayne Johnson, | There are two kinds of people: Those 3943 Penn Ave. N. | who say to God, "Thy will be done," Minneapolis, MN 55412-1908 | and those to whom God says, "All right, (612) 522-7003 | then, have it your way." --C.S. Lewis