Security....

James Kosin jkosin at beta.intcomgrp.com
Wed Oct 27 17:56:45 UTC 2004 

Rodolfo J. Paiz wrote:

>On Wed, 2004-10-27 at 13:00 -0400, James Kosin wrote:
>  
>
>>I took a simpler approach.
>>
>>    
>>
>
>Well yes, that is *simpler* but it is in no way better. It's also very
>basic... in fact, that's the basic procedure for *any* firewall (close
>everything then open up what you need), and that's how my firewall is
>setup too. No news here.
>
>The Portsentry setup is to block those people who are going to attack
>services I *do* run, since they will normally try to attack others as
>well. So the guy who is going to test SSH for exploits, and try all
>sorts of stuff on my Apache server, and see if he can get to Sendmail...
>is also likely to trigger a hostile port and get deep-sixed for 48
>hours.
>
>No iptables ruleset on Earth can protect you from attacks to an open
>port on which you have a service listening. That job is up to the
>process listening on the port. But you can attempt to find a way to
>block those people before or during their probes... my Portsentry
>mechanism is one such attempt, and has been highly successful for me as
>an additional layer of defense over the last two years or so.
>
>  
>
>>1.  Setup iptables with the following
>>    iptables -A INPUT -i lo -j ACCEPT   # this allows local loop 
>>interface to always work.
>>    
>>
>
>  
>
>>Most clients, #1 above is enough to block all attacks.
>>
>>    
>>
>
>No way. #1 above has nothing to do with any external attacks. And indeed
>closing all ports by default is just a precaution, since there should be
>nothing listening on those ports *anyway* and thus there should be
>nothing to crack except the services you do run. So in the end, your
>primary risk comes from the services you offer being cracked or rooted.
>
>Again, no iptables ruleset on Earth can protect you from that.
>
>Cheers,
>
>  
>
Sorry, maybe I didn't make myself clear.  #1 included all 3 iptable 
entries not just the first.
If you want to really cripple your machine, just do the first  and third 
iptable entries and you will not be able to browse the web or anything.  
The second one opens up the return path for connections established by 
the client machine.
You don't give iptables a chance.  It is a very powerful feature.  With 
proper setup you can allow unfeathered access to your server on your 
network alone and deny access (or restrict) everyone else.

James Kosin

More information about the fedora-list mailing list