Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Fri, Apr 20, 2001 at 12:14:22AM -0700, Aaron Lehmann wrote:
> On Fri, Apr 20, 2001 at 02:02:57AM -0500, Nathan E Norman wrote:
> > Everyone knows how to configure a stateful firewall, I can't believe
> > more people don't have one. Damn lazy bastards.
>
> Firewalls in general suck because they limit access. If systems aren't
> secure, well, they should be secured. Not blocked off from meaningful
> communication with the internet.
Not true - see below.
> I run a firewall, but only to SNAT (which is NOT for security, but for
> using multiple computers per IP as a conservation measure).
>
> While it's not really on-topic, I must say that I disagree with Daniel.
> It is wrong to open only specific incoming ports, because if you have
> some evil backdoor running, sorry -- your system's already been cracked
> somehow. The real way to make a system more secure is to:
Only certain hosts can FTP, telnet, and SSH to me. I need FTP, telnet and
SSH available to myself and friends, but don't want to open it up to the
world, because there's no-one else who could possibly have a legitimate
reason to use it. Therefore, I use iptables to enforce limits like this.
Plus, it takes care of port-scanning morons.
And let's not forget, even if there IS some evil bug in exim that causes my
system to get cr4x0red, I don't want *ANY* other ports accessible. They
could circumvent this, sure, but it'd be harder.
> * use daemons with a reputation of being secure
Unless they're shit, i.e. djbdns.
> * limit the daemons you run and configure them carefully
Which I do.
> * pay attention to your system and security advisories. read bugtraq
Ditto, but sometimes script kiddies beat bugtraq to it, and not everything
can be done at the Speed of Bugtraq.
> * audit the code (if you care that much)
Personally, I don't, because of the level of care I take.
> Don't fix the symptom, fix the problem.
While we're at cliches, an ounce/gram/kilo/<insert unit of measure here> of
prevention is better than an <see above> of cure. I'm sure that's not it,
but it's similar. Damn my memory.
--
Daniel Stone
Linux Kernel Developer
daniel@kabuki.openfridge.net
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
G!>CS d s++:- a---- C++ ULS++++$>B P---- L+++>++++ E+(joe)>+++ W++ N->++ !o
K? w++(--) O---- M- V-- PS+++ PE- Y PGP>++ t--- 5-- X- R- tv-(!) b+++ DI+++
D+ G e->++ h!(+) r+(%) y? UF++
------END GEEK CODE BLOCK------
Reply to: