NTP, ntpdate, and ISP-based firewall

Bevan C. Bennett bevan at fulcrummicro.com
Fri Mar 5 00:09:39 UTC 2004 

jdow wrote:

> A professional computer criminal might check some of the more oddball
> ports and discover something. <enh> So it happens. I still have formal
> barriers beyond the basic firewall. If each attacker has say a probability
> p of penetrating the internal barriers and a probability of b of deciding
> that the void he probed was really something ripe for more probing then
> I've reduced my probability of getting hacked by b. If b is 1 in 10 and
> p is one in 1 in 1000 then the combined probability that the NEXT layer
> will be probed is reduced to about 1 in 10,000. Proper defense is built
> in layers like an onion. I'm not invulnerable here. But I've worked to
> reduce the risk by every reasonable factor I can control.

Layered defenses are indeed the correct way to build up security.

If your system is truly 100% passive and offers no services at all then 
favoring DROP over REJECT can offer you some extra stealth at the 
expense of the ability to easily debug problems through the standard 
mechanisms like ping, traceroute and tcpdump.  If you are providing at 
least one service on the system, then using DROP won't help hide you 
against a simple scan (no professional required) and all your choice 
does is make your system standards-unfriendly.

It doesn't make me more of a target to return 'ICMP prohibited' packets 
in reply to probes at prohibited ports. On the contrary it probably 
makes me less of a target because I clearly have active security 
measures in place.

> Obscurity is no defense; but, obscurity times firewall times tcpwrapper
> times passwords times internal firewalls times yatta and more yatta yet
> is better than without the obscurity, eh?

If the obscurity only gives you a false sense of security, while 
impairing your own ability to monitor and debug your configuration, then 
it is indeed better without the obscurity.

Put a firewall in front of your local network.
Run host-based firewalls like iptables.
Use secure protocols whenever possible.
Run daemons chrooted when possible, and minimize the daemons you run.
Use tcpwrappers to further limit access to the daemons you do run.

All these are good layers that do add to your security. Refusing to 
answer pings doesn't really add much, and just makes your server seem 
rude. ;)

More information about the fedora-list mailing list