RE: How to tell if a Linux machine is a zombie?
James Stevenson wrote:
>> > > useful in this environment?
>> > Many folks like that one. I use shorewall. You can always block
>> > outgoing ports that you dont use. If you dont run an ftp server, block
>> > port 20 and 21, etc.
>> >
>> That is why I really like the "default deny" mentality. Start by
>> blocking all incoming and outgoing new connections. Allow only incoming
>> connections for services that you know you are running. Allow only
>> outbound connections for things you know you want to do. If you only
>> browse the web and use ssh, then only allow those ports. Many badware
>> applications use port 80 or port 443, since those are very rarely
>> blocked. For bonus points, block those and setup and authenticating
>> proxy.
>
> The default deny policy can also open up a security hole on its own.
> Be aware that the default rate limited reject policy can be better.
>
> Even for blocking 80 / 443 this is why some places use proxy's cause you
> block everything else but allow the proxy. It can be even more secure to
> use a transparent proxy because something on port 80 is forced to talk
> http instead of another protocol.
Be advised that it is a bad idea to set up a transparent authenticating
proxy as this will utterly break HTTP authentication.
Reply to: