----- Original Message ----- From: "James Kosin" <jkosin@xxxxxxxxxxxxxxxxxx> To: "For users of Fedora Core releases" <fedora-list@xxxxxxxxxx> Sent: Wednesday, October 27, 2004 10:56 AM Subject: Re: Security.... > Rodolfo J. Paiz wrote: > > >On Wed, 2004-10-27 at 13:00 -0400, James Kosin wrote: > > > > > >>I took a simpler approach. > >> > >> > >> > > > >Well yes, that is *simpler* but it is in no way better. It's also very > >basic... in fact, that's the basic procedure for *any* firewall (close > >everything then open up what you need), and that's how my firewall is > >setup too. No news here. > > > >The Portsentry setup is to block those people who are going to attack > >services I *do* run, since they will normally try to attack others as > >well. So the guy who is going to test SSH for exploits, and try all > >sorts of stuff on my Apache server, and see if he can get to Sendmail... > >is also likely to trigger a hostile port and get deep-sixed for 48 > >hours. > > > >No iptables ruleset on Earth can protect you from attacks to an open > >port on which you have a service listening. That job is up to the > >process listening on the port. But you can attempt to find a way to > >block those people before or during their probes... my Portsentry > >mechanism is one such attempt, and has been highly successful for me as > >an additional layer of defense over the last two years or so. > > > > > > > >>1. Setup iptables with the following > >> iptables -A INPUT -i lo -j ACCEPT # this allows local loop > >>interface to always work. > >> > >> > > > > > > > >>Most clients, #1 above is enough to block all attacks. > >> > >> > >> > > > >No way. #1 above has nothing to do with any external attacks. And indeed > >closing all ports by default is just a precaution, since there should be > >nothing listening on those ports *anyway* and thus there should be > >nothing to crack except the services you do run. So in the end, your > >primary risk comes from the services you offer being cracked or rooted. > > > >Again, no iptables ruleset on Earth can protect you from that. > > > >Cheers, > > > > > > > Sorry, maybe I didn't make myself clear. #1 included all 3 iptable > entries not just the first. > If you want to really cripple your machine, just do the first and third > iptable entries and you will not be able to browse the web or anything. > The second one opens up the return path for connections established by > the client machine. > You don't give iptables a chance. It is a very powerful feature. With > proper setup you can allow unfeathered access to your server on your > network alone and deny access (or restrict) everyone else. > > James Kosin Great thread guys...I do have to say...once I realized what Rodolfo was describing I had to laugh. Very clever! Great mechanism! May need to look into it for my stuff... -Eucke
