[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My machine was hacked - possibly via sshd?



On Tue, Mar 29, 2005 at 03:43:11AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> And, yes, if you need outgoing FTP/WWW access from that box then you should
> have a filter for those servers you actually need (like
> security.debian.org). Sorry, allowing remote access to an SSH server that
> is not setup in a properly isolated DMZ with incoming and outgoing filters
> is not a good idea.

It should be noted that it is entirely possible, even on today's
internet, to run a large network completely exposed to the internet.  It
always makes me sad when I hear people talking as though you simply
*must* have a firewall, or else you're endangering yourself, your users,
and the internet community as a whole.  You can run with "default allow"
policy, and do it safely.  Firewalls cause two major problems.  First of
all, they lead to a false sense of security.  They create a "soft
underbelly" with a hard shell.  If you can get through the shell, who
knows what kind of weak trust relationships, unpatched security
vulnerabilities, and insecure protocols you're going to find.  Second,
it is a royal PITA for users who find that their applications don't work
due to strict firewall policies.  These users, or the developers of
their software, invariably will find some way to get their traffic
through.  Witness all the stuff that gets tunneled over HTTP or ssh
these days.  Traffic will flow around your firewall, one way or another.
Secure hosts, services, and authentication mechanisms, as well as sound
policies, can make an open network at least as secure as one that is
tightly firewalled.

noah

Attachment: pgpr2i3zkhTrT.pgp
Description: PGP signature


Reply to: