Security....

Rodolfo J. Paiz rpaiz at simpaticus.com
Wed Oct 27 17:45:02 UTC 2004 

On Wed, 2004-10-27 at 13:00 -0400, James Kosin wrote:
> I took a simpler approach.
> 

Well yes, that is *simpler* but it is in no way better. It's also very
basic... in fact, that's the basic procedure for *any* firewall (close
everything then open up what you need), and that's how my firewall is
setup too. No news here.

The Portsentry setup is to block those people who are going to attack
services I *do* run, since they will normally try to attack others as
well. So the guy who is going to test SSH for exploits, and try all
sorts of stuff on my Apache server, and see if he can get to Sendmail...
is also likely to trigger a hostile port and get deep-sixed for 48
hours.

No iptables ruleset on Earth can protect you from attacks to an open
port on which you have a service listening. That job is up to the
process listening on the port. But you can attempt to find a way to
block those people before or during their probes... my Portsentry
mechanism is one such attempt, and has been highly successful for me as
an additional layer of defense over the last two years or so.

> 1.  Setup iptables with the following
>     iptables -A INPUT -i lo -j ACCEPT   # this allows local loop 
> interface to always work.

> Most clients, #1 above is enough to block all attacks.
> 

No way. #1 above has nothing to do with any external attacks. And indeed
closing all ports by default is just a precaution, since there should be
nothing listening on those ports *anyway* and thus there should be
nothing to crack except the services you do run. So in the end, your
primary risk comes from the services you offer being cracked or rooted.

Again, no iptables ruleset on Earth can protect you from that.

Cheers,

-- 
Rodolfo J. Paiz <rpaiz at simpaticus.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041027/9a46f751/attachment-0001.sig>

More information about the fedora-list mailing list