Re: Shorewall for web server?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Tim wrote:

On Wed, 2005-12-28 at 21:49 +0800, John Summerfied wrote:


I've seen a couple of cracked boxes. The first thing the intruders did
was install their own server, an IRC bot. It was licenced under the
GPL, and they complied with the licence, giving me the source code to
it.
It's true the boxes had servers on them: one needs ssh for remote maintenance, and it's the nature of useful server (boxes) that they 
run server software on them, but the intruders didn't use the existing
ervers except to gain entry.



And how did they crack your box, and install stuff on it?  It'd be an


I didn't say whose box it was, and it was nothing to do with firewalls.



exploit of a *service* of some kind.  If there was no service on the
firewall (the only machine that they can directly access), then they
couldn't install anything on it.  They have to have something to
exploit.
I also didn't say it was the firewall. It wasn't, and the firewall wasn't at fault. 





The protection offered by a firewall against incoming attacks is
vastly overrated.



That's for sure, particularly if people believe that just having one
protects them without any effort on their behalf, or that it's an
absolute protection.  As I said, it's just another step towards greater
security.

But a real, firewall-only, device between you and them does what the
word suggests.  It's a hardy object that they can't do much to, and
makes it difficult to do anything beyond it.
Reread what I did say. A firewall does not prevent attacks against services that must be open to the public, for example, because they provide a public service. Neither does your firewall protect against content you invite through it such as stuff from my website.
If you want to run an ftp server for people do download stuff, then people have to be able to access it. If you don't need to operate an ftp server, then don't install it and nobody can attack it, firewall or no. 




--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

do not reply off-list
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux