Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

To: debian-user@lists.debian.org
Subject: Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)
From: <tomas@tuxteam.de>
Date: Fri, 31 Mar 2017 15:26:21 +0200
Message-id: <[🔎] 20170331132621.GA21546@tuxteam.de>
In-reply-to: <[🔎] 31032017141204.fc6bce367b7a@desktop.copernicus.org.uk>
References: <[🔎] ef34df2b-20d7-e2ed-f9a4-875cc09c9b68@cloud85.net> <[🔎] 1da38dbd-57cc-816a-b108-9b1a54159701@holgerdanske.com> <[🔎] slrnocd4r9.8pl.dan@xps-linux.djph.net> <[🔎] b996cffe-6f59-38df-8aa4-35e62a92c150@holgerdanske.com> <[🔎] 20170331120044.GU8896@localhost.localdomain> <[🔎] 20170331121804.GA18992@tuxteam.de> <[🔎] 31032017141204.fc6bce367b7a@desktop.copernicus.org.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Mar 31, 2017 at 02:17:35PM +0100, Brian wrote:
> On Fri 31 Mar 2017 at 14:18:04 +0200, tomas@tuxteam.de wrote:
> 
> > On Sat, Apr 01, 2017 at 01:00:45AM +1300, cbannister@slingshot.co.nz wrote:
> > 
> > [...]
> > 
> > > My understanding is that if there are no services listening on a port then
> > > it cannot be accessed.
> > > 
> > > e.g.
> > > 
> > > http://serverfault.com/questions/733633/if-no-service-is-listening-on-a-port-can-a-system-still-be-accessed-using-that-p
> > > 
> > > An I missing something? 
> 
> I rather thought cbannister had the correct idea: nothing listening;
> therefore no access.
>  
> > As Dominik said: it's "defense in depth". If your PHP^H^H^H web application
> > has some code injection issue, your adversary might well install a C&C
> > server listening on that port, and work from there on (exfiltrate data,
> > try some privelege escalation, whatever).
> > 
> > Now there might be other avenues for that, but security is about closing
> > the avenue your adversary is going to use next ;-)
> 
> If someone unauthorised is on your machine can they not just as well
> remove firewall rules?

If they have done the privilege escalation bit, then yes. If they are
"just" running as the web server user (which hopefully ain't root) then
"not... yet". Unless you've set up sudo so that www-user can change
the firewall rules. But then you'd have to tell us more about that ;-D

Regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAljeWP0ACgkQBcgs9XrR2kb4OACfSM1gZZ6Ac2OlSHEBaGfEuM+p
EmMAn1kpsOY5vTMQQ3ou2hPRwsBAp72b
=s6iO
-----END PGP SIGNATURE-----

Reply to:

References:
- Guide(s?) to backup philosophies
  - From: Richard Owlett <rowlett@cloud85.net>
- Re: Guide(s?) to backup philosophies
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Guide(s?) to backup philosophies
  - From: Dan Purgert <dan@djph.net>
- Re: Guide(s?) to backup philosophies
  - From: David Christensen <dpchrist@holgerdanske.com>
- should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)
  - From: cbannister@slingshot.co.nz
- Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)
  - From: <tomas@tuxteam.de>
- Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)
Next by Date: Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)
Previous by thread: Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)
Next by thread: Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)
Index(es):
- Date
- Thread