Re: My machine was hacked - possibly via sshd?
On Mon, 28 Mar 2005, Noah Meyerhans wrote:
> It should be noted that it is entirely possible, even on today's
> internet, to run a large network completely exposed to the internet. It
> always makes me sad when I hear people talking as though you simply
> *must* have a firewall, or else you're endangering yourself, your users,
I would say this is true up to a point but it does have some caveats:
- It presumes an admin is diligently keeping up to date with patches. In
a perfect world this would always be true.
- It presumes the vendor(s) are providing patches in a timely manner.
- It presumes that no misconfigurations exist. Plenty of
misconfigurations occur when they should not and the firewall may be the
only thing that stops in intrusion in this case.
- It tends to violate the principal of "Security in depth". Stay fully
patched and have a firewall (and IDS) as well.
- It ignores the advantages of rate limiting capabilities built into many
firewalls (such as iptables).
- It ignores the fact that being able to probe a network may be useful for
a future attack.
I do agree that admins should always consider why they are doing
something, like putting in a firewall, rather than just blindly doing it.
> and the internet community as a whole. You can run with "default allow"
> policy, and do it safely. Firewalls cause two major problems. First of
> all, they lead to a false sense of security. They create a "soft
IMHO user/admin education is the key here.
> underbelly" with a hard shell. If you can get through the shell, who
I do agree. Internal firewalls may be needed, or other measures. I won't
go into this topic, as it is quite open ended.
> due to strict firewall policies. These users, or the developers of
The work of a modern admin is very much a balance between functionality
> their software, invariably will find some way to get their traffic
> through. Witness all the stuff that gets tunneled over HTTP or ssh
Yep, that annoys me, and I do recognise the core problem. Very often they
are just trying to do their job when they tunnel data like that too.
Wonderful isn't it.
IMHO it comes down to intelligently assessing the needs of the
organisation. Too few admins are doing that today (IMHO).
Robert Brockway B.Sc.
Senior Technical Consultant, OpenTrend Solutions Ltd.
Phone: 416-669-3073 Email: email@example.com http://www.opentrend.net
OpenTrend Solutions: Reliable, secure solutions to real world problems.
Contributing Member of Software in the Public Interest (http://www.spi-inc.org)