[CentOS] Block network at logoff on workstation

Ross Walker rswwalker at gmail.com
Sat Feb 6 02:02:27 UTC 2010


On Feb 5, 2010, at 6:55 PM, David McGuffey <davidmcguffey at verizon.net>  
wrote:

>
> On Thu, 2010-02-04 at 09:19 -0500, Ross Walker wrote:
>> On Feb 3, 2010, at 9:36 PM, David McGuffey  
>> <davidmcguffey at verizon.net>
>> wrote:
>>
>>> I'm trying to reduce the attack surface to a home machine that is
>>> always
>>> on and connected to the Internet.  It is running CentOS 5.4, with
>>> tight
>>> iptables rules and sits behind a Verizon FiOS firewall/switch also
>>> configured with tight rules.
>>>
>>> I was wondering how to best block all network access to it when I  
>>> log
>>> off...then unblock it when I log on. Changing iptables requires root
>>> access...as does running ifdown and ifup scripts.
>>>
>>> I could change the permissions on ifdown and ifup and run them from
>>> the
>>> login/logout scripts, but I'd prefer not to do that.
>>>
>>> Any tips?
>>
>> Set iptables to block all inbound traffic unless initiated from your
>> workstation.
>>
>> It's the most secure, all the time.
>>
>> -Ross
> It is already set up that way...but I was thinking about taking the
> interface down if no one is logged into the console (this is a
> workstation used as a home computer and not supporting any network
> servers).
>
> I was thinking of a cron job that would run 'who' and if there were no
> active logins, run 'ifdown eth0'

Why?

That's overkill, if you really want to go that way, why not shutdown  
the PC when it's not being used, or see if you can make it go into  
'sleep' mode which will turn off the network interfaces.

-Ross




More information about the CentOS mailing list