Re: [squid-users] My Squid Hardware -- Any Tips/Advice Before It's Commissioned

From: Mark Tinka <[email protected]>
Date: Thu, 1 Apr 2004 09:20:15 +0100 (BST)

 --- Chris Wilcox <not_rich_yet@hotmail.com> wrote: >
>
> If this box will run Squid and Squid only...

yes, this box will run squid and squid only..

>...then I'd
> be looking into one of
> the more minimal distributions such as Debian. You
> don't need most of the
> 'junk' that distro's like Suse will install by
> default....

when u say 'junk', do u mean actively running
services, that have ports to which one can connect, or
do u mean the myriad of packages that SuSE will
install based on the type of setup u need (which
includes Minimal, Default, Default With Office or
Everything)..?..

>... as most of the
> services etc that will be running by default on
> distro's like Suse will only
> serve to slow things down.

i see u mean well, but i've been running SuSE since i
started in the industry, and over time one develops
ideas and tricks on one's favorite flavor of Linux..

regarding running services, i know SuSE don't have
INETD running by default post install..

although they do default to runlevel 5 which starts X
at boot, i counter this by defaulting to runlevel 3
(really don't need X running on production gear)...

i know the smtp port is open post install thanks to
postfix, which i delete before anything else (and if i
need a mailer, replace with exim)..

the portmapper is also open by default post install,
but i stop this and remove it from the runlevels so it
doesn't start on boot..

then there's openssh, which is started by default post
install.. this is good, of course, all i do is
updgrade it to the latest stable version and close it
off using iptables and the tcp wrapper..

once all that's done, i use a script that SuSE have
discontinued (but it still does its job) called
harden_suse.. it removes setuid and setgid bits from
binaries that could compromise your system.. the
script also hashes/comments all (uncommented) entries
in /etc/inetd.conf...

after all that, i use a customised and hardened
iptables firewall to close off the only service
running on the box, SSH...

so, as u can see, adding squid to my system will only
open up port 3128, which the firewall will close off
and only redirect outbound http traffic to...

i hope this is minimal enough..

Regards,

Mark.

>
> hth
>
> Regards,
>
> Chris
>
>
_________________________________________________________________
> Find a cheaper internet access deal - choose one to
> suit you.
> http://www.msn.co.uk/internetaccess
>

                
____________________________________________________________
How much free photo storage do you get? Store your holiday
snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com
Received on Thu Apr 01 2004 - 01:20:17 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:01 MDT