David McGuffey wrote:

> I was wondering how to best block all network access to it when I log
> off...then unblock it when I log on. Changing iptables requires root
> access...as does running ifdown and ifup scripts.

You could use sudo to call them.. But I don't really understand your
concern, if your behind two pretty tight firewalls then there shouldn't
be anything to worry about. Myself I just have one firewall(OpenBSD),
no local firewall on my system(at home).

If your physically at the system(which I assume you are since your
blocking network access while your not logged on), perhaps simply
pulling the network cable out of the system is simplest.

nate


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Feb 3, 2010, at 9:36 PM, David McGuffey <davidmcguffey@verizon.net>
wrote:

> I'm trying to reduce the attack surface to a home machine that is
> always
> on and connected to the Internet. It is running CentOS 5.4, with
> tight
> iptables rules and sits behind a Verizon FiOS firewall/switch also
> configured with tight rules.
>
> I was wondering how to best block all network access to it when I log
> off...then unblock it when I log on. Changing iptables requires root
> access...as does running ifdown and ifup scripts.
>
> I could change the permissions on ifdown and ifup and run them from
> the
> login/logout scripts, but I'd prefer not to do that.
>
> Any tips?

Set iptables to block all inbound traffic unless initiated from your
workstation.

It's the most secure, all the time.

-Ross

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

David McGuffey wrote:
> I'm trying to reduce the attack surface to a home machine that is always
> on and connected to the Internet. It is running CentOS 5.4, with tight
> iptables rules and sits behind a Verizon FiOS firewall/switch also
> configured with tight rules.
>
> I was wondering how to best block all network access to it when I log
> off...then unblock it when I log on. Changing iptables requires root
> access...as does running ifdown and ifup scripts.
>
> I could change the permissions on ifdown and ifup and run them from the
> login/logout scripts, but I'd prefer not to do that.
>
> Any tips?
>

$ shutdown -h now

If the machine is not doing anything, what is the point of leaving it on
in the first place?

--
Bowie
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Thu, 2010-02-04 at 09:19 -0500, Ross Walker wrote:
> On Feb 3, 2010, at 9:36 PM, David McGuffey <davidmcguffey@verizon.net>
> wrote:
>
> > I'm trying to reduce the attack surface to a home machine that is
> > always
> > on and connected to the Internet. It is running CentOS 5.4, with
> > tight
> > iptables rules and sits behind a Verizon FiOS firewall/switch also
> > configured with tight rules.
> >
> > I was wondering how to best block all network access to it when I log
> > off...then unblock it when I log on. Changing iptables requires root
> > access...as does running ifdown and ifup scripts.
> >
> > I could change the permissions on ifdown and ifup and run them from
> > the
> > login/logout scripts, but I'd prefer not to do that.
> >
> > Any tips?
>
> Set iptables to block all inbound traffic unless initiated from your
> workstation.
>
> It's the most secure, all the time.
>
> -Ross
It is already set up that way...but I was thinking about taking the
interface down if no one is logged into the console (this is a
workstation used as a home computer and not supporting any network
servers).

I was thinking of a cron job that would run 'who' and if there were no
active logins, run 'ifdown eth0'

DaveM


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Feb 5, 2010, at 6:55 PM, David McGuffey <davidmcguffey@verizon.net>
wrote:

>
> On Thu, 2010-02-04 at 09:19 -0500, Ross Walker wrote:
>> On Feb 3, 2010, at 9:36 PM, David McGuffey
>> <davidmcguffey@verizon.net>
>> wrote:
>>
>>> I'm trying to reduce the attack surface to a home machine that is
>>> always
>>> on and connected to the Internet. It is running CentOS 5.4, with
>>> tight
>>> iptables rules and sits behind a Verizon FiOS firewall/switch also
>>> configured with tight rules.
>>>
>>> I was wondering how to best block all network access to it when I
>>> log
>>> off...then unblock it when I log on. Changing iptables requires root
>>> access...as does running ifdown and ifup scripts.
>>>
>>> I could change the permissions on ifdown and ifup and run them from
>>> the
>>> login/logout scripts, but I'd prefer not to do that.
>>>
>>> Any tips?
>>
>> Set iptables to block all inbound traffic unless initiated from your
>> workstation.
>>
>> It's the most secure, all the time.
>>
>> -Ross
> It is already set up that way...but I was thinking about taking the
> interface down if no one is logged into the console (this is a
> workstation used as a home computer and not supporting any network
> servers).
>
> I was thinking of a cron job that would run 'who' and if there were no
> active logins, run 'ifdown eth0'

Why?

That's overkill, if you really want to go that way, why not shutdown
the PC when it's not being used, or see if you can make it go into
'sleep' mode which will turn off the network interfaces.

-Ross

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Wed, Feb 3, 2010 at 9:36 PM, David McGuffey
<davidmcguffey@verizon.net> wrote:
> I'm trying to reduce the attack surface to a home machine that is always
> on and connected to the Internet. *It is running CentOS 5.4, with tight
> iptables rules and sits behind a Verizon FiOS firewall/switch also
> configured with tight rules.
>
> I was wondering how to best block all network access to it when I log
> off...then unblock it when I log on. Changing iptables requires root
> access...as does running ifdown and ifup scripts.
>
> I could change the permissions on ifdown and ifup and run them from the
> login/logout scripts, but I'd prefer not to do that.

Many window managers can run scripts on login and logout. You could
create a script uses sudo to enable/disable the interface then run it
on login/logout.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos