[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default



Adam McKenna <adam@debian.org> wrote:
> 
> No, sorry.  Every box connected to the internet does not need a stateful
> firewall in front of it.  This is an idea that has been propagated by the
> clueless "security admin" world in order to sell more Checkpoint licenses.

Wrong. Have you never heard of multiple levels of security?

> A web server box running Apache and SSH (only) can be adequately protected by 
> tcp wrappers if they're configured correctly.  (IE, using IP-based access 
> rules.)

s/configured correctly/configured correctly and contain no vulnerabilities/

That bit about no vulnerabilities is important. Don't rely on just one
method of stopping attacks, because eventually someone will find a way
around it.

Would you rely solely on an access control directive in Apache to protect
your server from nasty people? I wouldn't. That leaves you open to any
vulnerability found in header parsing or the request-response mechanism in
Apache.

Maybe TCP-wrappers will become vulnerable to some attack. Then your IP-based
access lists are moot.

The TCP stack itself in your web server may be vulnerable to attack, in
which case the attack won't even get as far as TCP-wrappers.

The best approach to security is to protect yourself from attacks at all
these levels.

You seem to show a fundamental lack of understanding of how to properly
secure a machine connected to the Internet.
-- 
Sam Couter          |   Internet Engineer   |   http://www.topic.com.au/
sam@topic.com.au    |   tSA Consulting      |
OpenPGP key ID:       DE89C75C,  available on key servers
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C

Attachment: pgpSKNUTpTclc.pgp
Description: PGP signature


Reply to: