Adam McKenna <adam@debian.org> wrote: > > No, sorry. Every box connected to the internet does not need a stateful > firewall in front of it. This is an idea that has been propagated by the > clueless "security admin" world in order to sell more Checkpoint licenses. Wrong. Have you never heard of multiple levels of security? > A web server box running Apache and SSH (only) can be adequately protected by > tcp wrappers if they're configured correctly. (IE, using IP-based access > rules.) s/configured correctly/configured correctly and contain no vulnerabilities/ That bit about no vulnerabilities is important. Don't rely on just one method of stopping attacks, because eventually someone will find a way around it. Would you rely solely on an access control directive in Apache to protect your server from nasty people? I wouldn't. That leaves you open to any vulnerability found in header parsing or the request-response mechanism in Apache. Maybe TCP-wrappers will become vulnerable to some attack. Then your IP-based access lists are moot. The TCP stack itself in your web server may be vulnerable to attack, in which case the attack won't even get as far as TCP-wrappers. The best approach to security is to protect yourself from attacks at all these levels. You seem to show a fundamental lack of understanding of how to properly secure a machine connected to the Internet. -- Sam Couter | Internet Engineer | http://www.topic.com.au/ sam@topic.com.au | tSA Consulting | OpenPGP key ID: DE89C75C, available on key servers OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C
Attachment:
pgpSooITw5iNp.pgp
Description: PGP signature