What also is good is to lock down your system with ipchains or iptables. If
you block all incoming packets that aren't needed, it doesn't matter what
services you have running.
Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Simon Greaves" <Simon.Greaves@usp.ac.fj>
To: "Palmer J.D.F." <J.D.F.Palmer@Swansea.ac.uk>
Cc: "Squid Users" <squid-users@squid-cache.org>
Sent: Monday, April 23, 2001 6:10 PM
Subject: [squid-users] re: Tying down Squid boxes
> Jezz,
>
> > I realise that this is a bit off track for this forum, but I am
> > looking to make my squid boxes as secure as reasonably possible.
> >
> > I have installed TCP wrappers and closed as many ports as I can but I'm
> > wondering whether I need to have the 'sunrpc' and 'auth' ports open, and
> > if not how to close them.
>
> Depends on what else the host running squid is doing. If there's no NFS or
> services using portmapper, you don't need sunrpc. Similarly, if you don't
> want your system to provide ident info to others, you can close auth.
>
> > Does any one have any opinions/advice?
>
> I run squid on a couple of old pentiums here. Both were installed with
> minimal Linux installations, then I went through and removed anything I
> didn't need, applications, servers, whatever - if it wasn't essential to
> squid it was deleted. The systems don't run inetd, in fact the only
> network servers they run are squid, xntpd and sshd (which is configured
> to only accept connections from a small no. of hosts). The fewer network
> services you have running, the more manageable your security becomes, but
> as ever it's a balance between what you need to run on the system and the
> usability of that system. It may also be influenced by the location of
> your squid cache, if it's behind a corporate firewall, it may be ok to be
> a bit more lax with the security of the system itself.
>
> Simon
> --
> Simon Greaves voice: (+679) 212114
> Computer Centre fax: (+679) 304089
> The University of the South Pacific email: Simon.Greaves@usp.ac.fj
> Suva, Fiji
Received on Tue Apr 24 2001 - 07:52:28 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:34 MST