RE: How to tell if a Linux machine is a zombie?
> >> > > useful in this environment?
> >> > Many folks like that one. I use shorewall. You can always block
> >> > outgoing ports that you dont use. If you dont run an ftp server,
> >> > port 20 and 21, etc.
> >> >
> >> That is why I really like the "default deny" mentality. Start by
> >> blocking all incoming and outgoing new connections. Allow only
> >> connections for services that you know you are running. Allow only
> >> outbound connections for things you know you want to do. If you only
> >> browse the web and use ssh, then only allow those ports. Many badware
> >> applications use port 80 or port 443, since those are very rarely
> >> blocked. For bonus points, block those and setup and authenticating
> >> proxy.
> > The default deny policy can also open up a security hole on its own.
> > Be aware that the default rate limited reject policy can be better.
> > Even for blocking 80 / 443 this is why some places use proxy's cause you
> > block everything else but allow the proxy. It can be even more secure to
> > use a transparent proxy because something on port 80 is forced to talk
> > http instead of another protocol.
> Be advised that it is a bad idea to set up a transparent authenticating
> proxy as this will utterly break HTTP authentication.
In which case the block everything and allow the proxy will work and of
course configure the proxy on every machine. The only difference with that
is the malware etc.. can detect the proxy if its looks for it and use it to
communicate. Though you can then configure / check logs on the proxy to look
for things like that.