On Fri, Mar 22, 2002 at 11:52:58AM -0600, Bob Tanner wrote: [not replying to Bob in particular, but..] > The read-only FS stuff is a good idea, but can make install updates/patches and > pain for -you- when it comes time. Why? Grandma doesn't need the root password, and your permissions *are* set properly aren't they? Even if grandma accidently shuts down improperly you'd be using ext3, and would lose no data due to the fact that grandma wasn't modifying those partitions. (and she'd get to wait a few moments while it fsck'd, and see the reminder to shut down properly) > Installing tripwire is a better idea, IMHO. Yep, RedHat comes with it, `echo you at your.email > ~root/.forward` and you can get the reports directly. > > Install sshd, disable root logins, enable X forwarding. How is disabling root logins going to change anything? You picked a secure password didn't you? You used a *unique* password, didn't you? If you feel insecure about your passwords then disable restrict remote logins to people with public/private key pairs. (disable password authentication) Running sshd on 'a high port' (see other post) isn't going to get you anything, most decent scanners would grab the banner from the port when they scanned and tell you it's sshd. (Security through obscurity is no security at all) > Setup iptables, lock down everything except ssh access from your box (assuming > you have a static IP). Or if you have a dynamic IP you can add the block you're in (not the best solution) or add the IP of a machine that you have access to, that does have a static IP. > If you got static IPs on each side, setup IPSEC. Seems like overkill, but if you are going to do this you might as well use remote syslogging to your box so you can see what's going on at grandma's place in real time. > Run neuss against the each box and make sure there is no warnings. Did you mean nessus? Hopefully you've selected maximum security in the RH setup and it setup what's generally referred to as a black hole. -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://techmonkeys.org/~poptix GPG public key 0x01938203