Re: NTP, ntpdate, and ISP-based firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Bevan C. Bennett wrote:

jdow wrote:

A professional computer criminal might check some of the more oddball
ports and discover something. <enh> So it happens. I still have formal
barriers beyond the basic firewall. If each attacker has say a probability
p of penetrating the internal barriers and a probability of b of deciding
that the void he probed was really something ripe for more probing then
I've reduced my probability of getting hacked by b. If b is 1 in 10 and
p is one in 1 in 1000 then the combined probability that the NEXT layer
will be probed is reduced to about 1 in 10,000. Proper defense is built
in layers like an onion. I'm not invulnerable here. But I've worked to
reduce the risk by every reasonable factor I can control.


Layered defenses are indeed the correct way to build up security.

If your system is truly 100% passive and offers no services at all then favoring DROP over REJECT can offer you some extra stealth at the expense of the ability to easily debug problems through the standard mechanisms like ping, traceroute and tcpdump. If you are providing at least one service on the system, then using DROP won't help hide you against a simple scan (no professional required) and all your choice does is make your system standards-unfriendly.

It doesn't make me more of a target to return 'ICMP prohibited' packets in reply to probes at prohibited ports. On the contrary it probably makes me less of a target because I clearly have active security measures in place.

Obscurity is no defense; but, obscurity times firewall times tcpwrapper
times passwords times internal firewalls times yatta and more yatta yet
is better than without the obscurity, eh?


If the obscurity only gives you a false sense of security, while impairing your own ability to monitor and debug your configuration, then it is indeed better without the obscurity.

Put a firewall in front of your local network.
Run host-based firewalls like iptables.
Use secure protocols whenever possible.
Run daemons chrooted when possible, and minimize the daemons you run.
Use tcpwrappers to further limit access to the daemons you do run.

All these are good layers that do add to your security. Refusing to answer pings doesn't really add much, and just makes your server seem rude. ;)

so by your definition, these hosts are rude???? (many more examples available)

[jeff]$ ping www.mysql.com
PING www.mysql.com (66.35.250.190) 56(84) bytes of data.

--- www.mysql.com ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms

[jeff]$ ping www.redhat.com
PING www.redhat.com (66.187.232.50) 56(84) bytes of data.

--- www.redhat.com ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5018ms







[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux