[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Fri, Apr 20, 2001 at 12:14:22AM -0700, Aaron Lehmann wrote:
> On Fri, Apr 20, 2001 at 02:02:57AM -0500, Nathan E Norman wrote:
> > Everyone knows how to configure a stateful firewall, I can't believe
> > more people don't have one.  Damn lazy bastards.
> 
> Firewalls in general suck because they limit access. If systems aren't
> secure, well, they should be secured. Not blocked off from meaningful
> communication with the internet.

Not true - see below.

> I run a firewall, but only to SNAT (which is NOT for security, but for
> using multiple computers per IP as a conservation measure).
> 
> While it's not really on-topic, I must say that I disagree with Daniel.
> It is wrong to open only specific incoming ports, because if you have
> some evil backdoor running, sorry -- your system's already been cracked
> somehow. The real way to make a system more secure is to:

Only certain hosts can FTP, telnet, and SSH to me. I need FTP, telnet and
SSH available to myself and friends, but don't want to open it up to the
world, because there's no-one else who could possibly have a legitimate
reason to use it. Therefore, I use iptables to enforce limits like this.
Plus, it takes care of port-scanning morons.

And let's not forget, even if there IS some evil bug in exim that causes my
system to get cr4x0red, I don't want *ANY* other ports accessible. They
could circumvent this, sure, but it'd be harder.

> * use daemons with a reputation of being secure

Unless they're shit, i.e. djbdns.

> * limit the daemons you run and configure them carefully

Which I do.

> * pay attention to your system and security advisories. read bugtraq

Ditto, but sometimes script kiddies beat bugtraq to it, and not everything
can be done at the Speed of Bugtraq.

> * audit the code (if you care that much)

Personally, I don't, because of the level of care I take.

> Don't fix the symptom, fix the problem.

While we're at cliches, an ounce/gram/kilo/<insert unit of measure here> of
prevention is better than an <see above> of cure. I'm sure that's not it,
but it's similar. Damn my memory.

-- 
Daniel Stone
Linux Kernel Developer
daniel@kabuki.openfridge.net

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
G!>CS d s++:- a---- C++ ULS++++$>B P---- L+++>++++ E+(joe)>+++ W++ N->++ !o
K? w++(--) O---- M- V-- PS+++ PE- Y PGP>++ t--- 5-- X- R- tv-(!) b+++ DI+++ 
D+ G e->++ h!(+) r+(%) y? UF++
------END GEEK CODE BLOCK------
Reply to: