Hack attempts

Mon Jul 26 13:36:11 UTC 2004

On Mon, 2004-07-26 at 08:01, Botond Kardos wrote:
> On Sat, 2004-07-24 at 18:56, Scot L. Harris wrote:

> > 
> > For those that have the skills, time, equipment, money, a hardened linux
> > box may be a good alternative.  For the vast majority of people out
> > there that really just want to use their system for email, web browsing,
> > games, and possibly some actual work, a simple dedicated inexpensive
> > router/firewall will do a very good job.  True it does not have all the
> > features of a full blown firewall box but then most people don't need
> > fine grained access controls or the ability to filter or trap specific
> > packets.
> > 
> > For the price of between 40 and 60 dollars such a firewall can prevent
> > most if not all attempts at getting at systems sitting behind it.  The
> > kind of probing mentioned here is just the kind of thing that such a
> > firewall would deflect very easily.  
> > 
> > Also, using a dedicated single purpose device usually eliminates a large
> > number of the potential holes that a more complex powerful box may
> > suffer from if improperly configured.  Less options equal fewer chances
> > to miss-configure things.
> > 
> 
>     I disagree with you and share the opinion of Bruno. If you want to
> have other ports open than just simple HTTP or FTP, you'll end up in
> spending at least the same amount of hours with configuring your box
> like you would spend with your own Linux. (For example I wasn't able to
> properly set up an SMC router to let DC++ out/in but filter other
> outgoing packets.)
>     They're simply cheaper, more silent, consume less power, dissipate
> less heap and need less cables. They don't protect better.

Please note I said "For the vast majority of people..." a cheap hardware
router/firewall will provide more than sufficient protection without
them having to spend inordinate amounts of time learning how to properly
configure security on their systems.  Is it perfect, no.  Is it better
than nothing or an improperly setup system, yes.  

For someone new to computers or just new to linux such a device can buy
them the time to learn and use the system.  I have seen reports that
indicate a brand new Windows box connected directly to the Internet will
be infected within 10 minutes.  Have seen many people trying to figure
out how to get all the updates in place on a system before they lose
control.  

Can you harden a linux system as good or better than a cheap hardware
firewall, you may be able to today, someone new maybe not.  

And if you are poking holes through the firewall, whether it be a
hardware firewall or iptables on a linux box, you need to know what you
are doing and the risks you are taking.  

Many times people need to have various services open on a system such as
ssh or ftp which are used only locally on the LAN.  With a separate
hardware firewall in place those services are not exposed to the
Internet and probes would not reach the server.  

The vast majority of people out there have no need to open ssh to the
Internet or use DC++.  For those that do have that need they hopefully
understand the risks and take precautions, ie. use good passwords,
updated software, implement IDS services, monitor log files.  

I don't think I ever said that a hardware router/firewall was better
protection, I do believe that for the vast majority of people out there
such a device is easier to setup and less prone to configuration errors
than getting a linux server configured securely.  You personally may
fall in the minority that knows how to properly set things up or needs
services that are not available on these inexpensive routers.  

And as has been mentioned, the best protection is using good passwords
on what ever services you expose.  

Also, there are dozens of ways to configure a server and a LAN.  All of
them are valid, some are better in certain situations than others.

-- 
Scot L. Harris
webid at cfl.rr.com

The sight of death frightens them [Earthers].
		-- Kras the Klingon, "Friday's Child", stardate 3497.2 