jdow wrote:
A professional computer criminal might check some of the more oddball ports and discover something. <enh> So it happens. I still have formal barriers beyond the basic firewall. If each attacker has say a probability p of penetrating the internal barriers and a probability of b of deciding that the void he probed was really something ripe for more probing then I've reduced my probability of getting hacked by b. If b is 1 in 10 and p is one in 1 in 1000 then the combined probability that the NEXT layer will be probed is reduced to about 1 in 10,000. Proper defense is built in layers like an onion. I'm not invulnerable here. But I've worked to reduce the risk by every reasonable factor I can control.
Layered defenses are indeed the correct way to build up security.
If your system is truly 100% passive and offers no services at all then favoring DROP over REJECT can offer you some extra stealth at the expense of the ability to easily debug problems through the standard mechanisms like ping, traceroute and tcpdump. If you are providing at least one service on the system, then using DROP won't help hide you against a simple scan (no professional required) and all your choice does is make your system standards-unfriendly.
It doesn't make me more of a target to return 'ICMP prohibited' packets in reply to probes at prohibited ports. On the contrary it probably makes me less of a target because I clearly have active security measures in place.
Obscurity is no defense; but, obscurity times firewall times tcpwrapper times passwords times internal firewalls times yatta and more yatta yet is better than without the obscurity, eh?
If the obscurity only gives you a false sense of security, while impairing your own ability to monitor and debug your configuration, then it is indeed better without the obscurity.
Put a firewall in front of your local network. Run host-based firewalls like iptables. Use secure protocols whenever possible. Run daemons chrooted when possible, and minimize the daemons you run. Use tcpwrappers to further limit access to the daemons you do run.
All these are good layers that do add to your security. Refusing to answer pings doesn't really add much, and just makes your server seem rude. ;)
