Security....
Eucke Warren
euckew at sierraelectronics.com
Wed Oct 27 18:07:11 UTC 2004
----- Original Message -----
From: "James Kosin" <jkosin at beta.intcomgrp.com>
To: "For users of Fedora Core releases" <fedora-list at redhat.com>
Sent: Wednesday, October 27, 2004 10:56 AM
Subject: Re: Security....
> Rodolfo J. Paiz wrote:
>
> >On Wed, 2004-10-27 at 13:00 -0400, James Kosin wrote:
> >
> >
> >>I took a simpler approach.
> >>
> >>
> >>
> >
> >Well yes, that is *simpler* but it is in no way better. It's also very
> >basic... in fact, that's the basic procedure for *any* firewall (close
> >everything then open up what you need), and that's how my firewall is
> >setup too. No news here.
> >
> >The Portsentry setup is to block those people who are going to attack
> >services I *do* run, since they will normally try to attack others as
> >well. So the guy who is going to test SSH for exploits, and try all
> >sorts of stuff on my Apache server, and see if he can get to Sendmail...
> >is also likely to trigger a hostile port and get deep-sixed for 48
> >hours.
> >
> >No iptables ruleset on Earth can protect you from attacks to an open
> >port on which you have a service listening. That job is up to the
> >process listening on the port. But you can attempt to find a way to
> >block those people before or during their probes... my Portsentry
> >mechanism is one such attempt, and has been highly successful for me as
> >an additional layer of defense over the last two years or so.
> >
> >
> >
> >>1. Setup iptables with the following
> >> iptables -A INPUT -i lo -j ACCEPT # this allows local loop
> >>interface to always work.
> >>
> >>
> >
> >
> >
> >>Most clients, #1 above is enough to block all attacks.
> >>
> >>
> >>
> >
> >No way. #1 above has nothing to do with any external attacks. And indeed
> >closing all ports by default is just a precaution, since there should be
> >nothing listening on those ports *anyway* and thus there should be
> >nothing to crack except the services you do run. So in the end, your
> >primary risk comes from the services you offer being cracked or rooted.
> >
> >Again, no iptables ruleset on Earth can protect you from that.
> >
> >Cheers,
> >
> >
> >
> Sorry, maybe I didn't make myself clear. #1 included all 3 iptable
> entries not just the first.
> If you want to really cripple your machine, just do the first and third
> iptable entries and you will not be able to browse the web or anything.
> The second one opens up the return path for connections established by
> the client machine.
> You don't give iptables a chance. It is a very powerful feature. With
> proper setup you can allow unfeathered access to your server on your
> network alone and deny access (or restrict) everyone else.
>
> James Kosin
Great thread guys...I do have to say...once I realized what Rodolfo was
describing I had to laugh. Very clever! Great mechanism! May need to look
into it for my stuff...
-Eucke
More information about the fedora-list
mailing list