From: "Alexander Dalloz" <alexander.dalloz@xxxxxxxxxxxxxxxx> > Am Do, den 04.03.2004 schrieb jdow um 22:51: > > > > No, there is no difference between REJECT and DROP in that issue. To log > > > REJECTs and DROPs (I dislike DROP much) you have to set up proper > > > logging rules with iptables. As an example you might log events with > > > something like: > > > > > > iptables -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags > > > FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 10/min -j LOG > > > --log-prefix "NMAP-XMAS SCAN: " --log-level 7 --log-tcp-options > > > --log-ip-options > > > > > > DROP is just "silent" against the remote initiator and let it timeout > > > while REJECT sends back a valid rejection information. > > > > > > Alexander > > > > Alexander, why do you want to be nice to those who would probe your > > barriers and tell them you are there? If THEY are nasty enough to > > probe me then I am nasty enough to let them timeout like unrequited > > love. > > > > {^_^} > > Jane, > > it is not because of (wannabe) attackers or script kids, but because of > accidentally or unnoticed misconfigurations or making it harder to find > out errors. If you just fear to give away too much information about > your system with a REJECT and use DROP to make it harder to guess, it > would be only "security by obfuscation". :) Me - if I were an attacker > kid - would find silent hosts even more interesting than those saying > "no service here". > > But this is total different topic, very often discussed on the > appropriate forums (usenet and web). > > Just my 2Â (european cent:) > > Alexander (It's Joanne but no harm no foul. I really should sign messages more informatively. But.... {^_^} is sorta "me". {^_-}) There are ways my site can be discovered well enough. But I am not a store with a door to which I'd love to have people traipsing. Heck, from any of my emails my "door's address" can be ascertained, at least for the duration of that DSL connection. However, if I do not advertise I am there to the boundless numbers of baby probes running around the criminals er hackers will go for the juicier meat nearby on the network addresses around mind that do respond. A professional computer criminal might check some of the more oddball ports and discover something. <enh> So it happens. I still have formal barriers beyond the basic firewall. If each attacker has say a probability p of penetrating the internal barriers and a probability of b of deciding that the void he probed was really something ripe for more probing then I've reduced my probability of getting hacked by b. If b is 1 in 10 and p is one in 1 in 1000 then the combined probability that the NEXT layer will be probed is reduced to about 1 in 10,000. Proper defense is built in layers like an onion. I'm not invulnerable here. But I've worked to reduce the risk by every reasonable factor I can control. Obscurity is no defense; but, obscurity times firewall times tcpwrapper times passwords times internal firewalls times yatta and more yatta yet is better than without the obscurity, eh? {^_^} Joanne Dow, aka Jolly Dirty Old Woman.