Julien Dupre wrote on Tue Jun 19, 2001 at 11:14:06PM: > I'm using these packages with the latest versions in stable : postfix, > apache 1.3.9 (quite old btw but not necessarily a problem), bind > 8.2.3, openssh 1.2.3 [...] > My idea is not to look at security alerts but trust that debian > maintainers will do it, I have a daily cron job which mails me if > "apt-get -s upgrade" says something should be upgraded, is this not > reasonable ? hopefully, security.debian.org is in your /etc/apt/sources.list? > Is there any case where a package with a known exploit > was not upgraded quickly in stable ? > > > ) with ipchains/iptables you have a choice of accepting, rejecting > > or dropping packets. If you reject them, they know you exist. If you > > drop them, they have to wait for a timeout before they know anything > > about you - you can play dead. > > Yes but what should I want to drop them, as I would only deny packets > for services I'm not running, a potential attacker would just get a > timeout for services which aren't running anyway. You've got the point. I had to learn that there is no sense in dropping packages instead of rejecting them. And ... once you offer services you cannot play dead anyway. > Rigth, but more generally about the interest of ipchains : if I have > to consider such packets are dangerous, it means that opened service > are not secured, can't I just rely on having most recent versions > installed and be confident but for zero day exploits ? Simple rule: reject anything that is not essential for the services you are offering. Put yourself in paranoia-mode while building your firewall. Matthias
Attachment:
pgp7MvtmPJtKJ.pgp
Description: PGP signature