[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: How to tell if a Linux machine is a zombie?

James Stevenson wrote:

>> > > useful in this environment?
>> > Many folks like that one. I use shorewall. You can always block
>> > outgoing ports that you dont use. If you dont run an ftp server, block
>> > port 20 and 21, etc.
>> >
>> That is why I really like the "default deny" mentality.  Start by
>> blocking all incoming and outgoing new connections.  Allow only incoming
>> connections for services that you know you are running.  Allow only
>> outbound connections for things you know you want to do.  If you only
>> browse the web and use ssh, then only allow those ports.  Many badware
>> applications use port 80 or port 443, since those are very rarely
>> blocked.  For bonus points, block those and setup and authenticating
>> proxy.
> 
> The default deny policy can also open up a security hole on its own.
> Be aware that the default rate limited reject policy can be better.
> 
> Even for blocking 80 / 443 this is why some places use proxy's cause you
> block everything else but allow the proxy. It can be even more secure to
> use a transparent proxy because something on port 80 is forced to talk
> http instead of another protocol.

Be advised that it is a bad idea to set up a transparent authenticating
proxy as this will utterly break HTTP authentication.
Reply to: