NTP, ntpdate, and ISP-based firewall
Jeff Vian
jvian10 at charter.net
Fri Mar 5 00:46:47 UTC 2004
Bevan C. Bennett wrote:
> jdow wrote:
>
>> A professional computer criminal might check some of the more oddball
>> ports and discover something. <enh> So it happens. I still have formal
>> barriers beyond the basic firewall. If each attacker has say a
>> probability
>> p of penetrating the internal barriers and a probability of b of
>> deciding
>> that the void he probed was really something ripe for more probing then
>> I've reduced my probability of getting hacked by b. If b is 1 in 10 and
>> p is one in 1 in 1000 then the combined probability that the NEXT layer
>> will be probed is reduced to about 1 in 10,000. Proper defense is built
>> in layers like an onion. I'm not invulnerable here. But I've worked to
>> reduce the risk by every reasonable factor I can control.
>
>
> Layered defenses are indeed the correct way to build up security.
>
> If your system is truly 100% passive and offers no services at all
> then favoring DROP over REJECT can offer you some extra stealth at the
> expense of the ability to easily debug problems through the standard
> mechanisms like ping, traceroute and tcpdump. If you are providing at
> least one service on the system, then using DROP won't help hide you
> against a simple scan (no professional required) and all your choice
> does is make your system standards-unfriendly.
>
> It doesn't make me more of a target to return 'ICMP prohibited'
> packets in reply to probes at prohibited ports. On the contrary it
> probably makes me less of a target because I clearly have active
> security measures in place.
>
>> Obscurity is no defense; but, obscurity times firewall times tcpwrapper
>> times passwords times internal firewalls times yatta and more yatta yet
>> is better than without the obscurity, eh?
>
>
> If the obscurity only gives you a false sense of security, while
> impairing your own ability to monitor and debug your configuration,
> then it is indeed better without the obscurity.
>
> Put a firewall in front of your local network.
> Run host-based firewalls like iptables.
> Use secure protocols whenever possible.
> Run daemons chrooted when possible, and minimize the daemons you run.
> Use tcpwrappers to further limit access to the daemons you do run.
>
> All these are good layers that do add to your security. Refusing to
> answer pings doesn't really add much, and just makes your server seem
> rude. ;)
>
so by your definition, these hosts are rude???? (many more examples
available)
[jeff]$ ping www.mysql.com
PING www.mysql.com (66.35.250.190) 56(84) bytes of data.
--- www.mysql.com ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms
[jeff]$ ping www.redhat.com
PING www.redhat.com (66.187.232.50) 56(84) bytes of data.
--- www.redhat.com ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5018ms
More information about the fedora-list
mailing list