Security....

Wed Oct 27 18:07:11 UTC 2004

----- Original Message ----- 
From: "James Kosin" <jkosin at beta.intcomgrp.com>
To: "For users of Fedora Core releases" <fedora-list at redhat.com>
Sent: Wednesday, October 27, 2004 10:56 AM
Subject: Re: Security....

> Rodolfo J. Paiz wrote:
>
> >On Wed, 2004-10-27 at 13:00 -0400, James Kosin wrote:
> >
> >
> >>I took a simpler approach.
> >>
> >>
> >>
> >
> >Well yes, that is *simpler* but it is in no way better. It's also very
> >basic... in fact, that's the basic procedure for *any* firewall (close
> >everything then open up what you need), and that's how my firewall is
> >setup too. No news here.
> >
> >The Portsentry setup is to block those people who are going to attack
> >services I *do* run, since they will normally try to attack others as
> >well. So the guy who is going to test SSH for exploits, and try all
> >sorts of stuff on my Apache server, and see if he can get to Sendmail...
> >is also likely to trigger a hostile port and get deep-sixed for 48
> >hours.
> >
> >No iptables ruleset on Earth can protect you from attacks to an open
> >port on which you have a service listening. That job is up to the
> >process listening on the port. But you can attempt to find a way to
> >block those people before or during their probes... my Portsentry
> >mechanism is one such attempt, and has been highly successful for me as
> >an additional layer of defense over the last two years or so.
> >
> >
> >
> >>1.  Setup iptables with the following
> >>    iptables -A INPUT -i lo -j ACCEPT   # this allows local loop
> >>interface to always work.
> >>
> >>
> >
> >
> >
> >>Most clients, #1 above is enough to block all attacks.
> >>
> >>
> >>
> >
> >No way. #1 above has nothing to do with any external attacks. And indeed
> >closing all ports by default is just a precaution, since there should be
> >nothing listening on those ports *anyway* and thus there should be
> >nothing to crack except the services you do run. So in the end, your
> >primary risk comes from the services you offer being cracked or rooted.
> >
> >Again, no iptables ruleset on Earth can protect you from that.
> >
> >Cheers,
> >
> >
> >
> Sorry, maybe I didn't make myself clear.  #1 included all 3 iptable
> entries not just the first.
> If you want to really cripple your machine, just do the first  and third
> iptable entries and you will not be able to browse the web or anything.
> The second one opens up the return path for connections established by
> the client machine.
> You don't give iptables a chance.  It is a very powerful feature.  With
> proper setup you can allow unfeathered access to your server on your
> network alone and deny access (or restrict) everyone else.
>
> James Kosin

Great thread guys...I do have to say...once I realized what Rodolfo was
describing I had to laugh.  Very clever!  Great mechanism!  May need to look
into it for my stuff...

-Eucke