Mailing List Archive

On 23 Sep 2004, at 08:11, Billy wrote:
> I've also blocked all access to port ssh (22) unless it's from my
> cable company. Everyone I know has RoadRunner, the bussiness
> connection is RR, my home is RR, all my friends are RR. Everyone else
> is blocked. Why? I don't want some guy in China hitting my boxes
> testing my passwords. If it's some guy in the RR network, it's easier
> to track down. It's also less exposure. Less is Best! The only person
> that should even be *attempting* to ssh into my systems is... me.

If "some guy in China hitting [your] boxes testing [your] passwords" is
a concern, you may want to disable password/interactive authentication
in SSH and use an authentication key instead.

man ssh-keygen for more info.

Andrew Farmer wrote:

> If "some guy in China hitting [your] boxes testing [your] passwords" is
> a concern, you may want to disable password/interactive authentication
> in SSH and use an authentication key instead.

that would work, however that would require a keychain USB device
specifically for that purpose - ie a windows accessible file system. I
can barely keep track of my sun glasses, much less a USB device that
will undoubtedly be smashed, banged (and possible drowned) along the way.

Contrary to my wife's perception, I don't *always* carry my laptop around.

--
gentoo-user@gentoo.org mailing list

Billy wrote:
> Alexander Skwar wrote:
>
>
>>Everything you said is true, but compared to the much more typical
>>"all or nothing" setup, that's a quite advanced setup you're
>
>
> I just don't understand how any computer that is connected to millions
> of other computers could possible *not* want to limit their exposure.

Well, by completely shutting down a service, you're limiting the
exposure even more, don't you? ;)

> People make mistakes. Computers are vulnerable. Limit your exposure by
> utilizing some type of packet filtering.

However, people make mistakes. If you trust that your filtering protects
you, you may find yourself all of a sudden wide open to attacks, because
your filtering rules aren't so well.

> That's all I was trying to get
> across.

Me too. Hence no overly complicated setups.

Alexander Skwar
--
Remember though that
THERE IS NO GENERAL RULE FOR CONVERTING A LIST INTO A SCALAR.
-- Larry Wall in the perl man page
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


--
gentoo-user@gentoo.org mailing list

Alexander Skwar wrote:

> Well, by completely shutting down a service, you're limiting the
> exposure even more, don't you? ;)

that doesn't help much if you need that service running.. such as ssh or
apache.

> However, people make mistakes. If you trust that your filtering protects
> you, you may find yourself all of a sudden wide open to attacks, because
> your filtering rules aren't so well.

as someone else said, security is like an onion, each tool being a
layer, using only one security tool makes for a very flimsy onion. If I
used mega packet filtering rules, and had no passwords, then I would be
better off using no mega packet filtering rules, and changing my
passwords to random strings every day. However, using both tools
(filtering and strong passwords), you now have a stronger system than
the sum of each.

Bottom line - packet filtering is a good thing, and should be used
together with all the other security tools you're already using: (1)
strong passwords, (2) unused services/daemons disabled, (3) log
monitoring (even simple log summaries).

>>That's all I was trying to get across.
> Me too. Hence no overly complicated setups.

my ip filtering rules are more complex than most. It's easier to manage
since I've grouped the rules by function and usage. That's just me. I
have needs that other users may not. However, to setup a very simple tcp
filter is easy. (1) Allow your public service ports, (2) Allow your
trusted machines, (3) Deny all incoming connections (syn-bit), Accept
everything else.

--
gentoo-user@gentoo.org mailing list

On 23 Sep 2004, at 13:19, Billy wrote:
> Andrew Farmer wrote:
>> If "some guy in China hitting [your] boxes testing [your] passwords"
>> is a concern, you may want to disable password/interactive
>> authentication in SSH and use an authentication key instead.
>
> that would work, however that would require a keychain USB device
> specifically for that purpose - ie a windows accessible file system. I
> can barely keep track of my sun glasses, much less a USB device that
> will undoubtedly be smashed, banged (and possible drowned) along the
> way.

Ah, I assumed you'd always log in from your own machine. Never mind.

Billy wrote:
> Alexander Skwar wrote:
>
>
>>Well, by completely shutting down a service, you're limiting the
>>exposure even more, don't you? ;)
>
>
> that doesn't help much if you need that service running.. such as ssh or
> apache.

If you do, a filter doesn't help much.

>>However, people make mistakes. If you trust that your filtering protects
>>you, you may find yourself all of a sudden wide open to attacks, because
>>your filtering rules aren't so well.
>
> as someone else said, security is like an onion, each tool being a
> layer, using only one security tool makes for a very flimsy onion.

Well, but why add another layer of complexity? If a service is not
running, you only open yourself to more attacks, if you allow a filter
to be accessible from the net.

> Bottom line - packet filtering is a good thing, and should be used
> together with all the other security tools you're already using: (1)
> strong passwords, (2) unused services/daemons disabled, (3) log
> monitoring (even simple log summaries).

No, I disagree. On a pure client system, there are no services running
that are accessible from the net. That being the case, there's no
added benefit at all, when you add a software that is (by its pure
definition) accessible from the net. The packet filter is a piece
of software that HAS to be accessed from the net.

Alexander Skwar
--
BOFH Excuse #319:

Your computer hasn't been returning all the bits it gets from the Internet.
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


--
gentoo-user@gentoo.org mailing list

Joel Merrick wrote:
> A good (and stolen) anaolgy for a security model is that is should be
> percieved like an onion.

I thought Ogre's were like onions?

--
Iain

As usual, this being a 1.3.x release, I haven't even compiled this
kernel yet. So if it works, you should be doubly impressed.
(Linus Torvalds, announcing kernel 1.3.3 on the linux-kernel mailing list.)

--
gentoo-user@gentoo.org mailing list

Tamas Sarga said:
>
> On Sun, 19 Sep 2004, Felix Tiede wrote:
>
>>
>>
>> First thing:
>> You don't need to close any ports if there are no services listening to
>> these ports. So, if you don't have any running service (like a webserver)
>> you don't need to have a firewall at all. A port on which no application is
>> listening is closed anyway, whether there is a firewall or not.
>> This is also the case, if your box doesn't need to route between LAN and
>> internet.
>>
>
> Hi,
>
> Maybe I'm very wrong. I think, that users can open ports above 1024. It
> can be a sec-hole, doesn't it?
> If I'm wrong, please correct me, thanks.
- yep.

General guidelines for security
1. Do not assume anything
2. Trust no-one,nothing
3. Nothing is secure
4. Security is a trade-off with usability
5. Paranoia is your friend

--
Myroslav Rys


--
gentoo-user@gentoo.org mailing list

Alexander Skwar wrote:

>>that doesn't help much if you need that service running.. such as ssh or
>>apache.
> If you do, a filter doesn't help much.

that's very illogical. Who's to say that those services should be
public? Filters help, especially when you want more usability.

> Well, but why add another layer of complexity? If a service is not
> running, you only open yourself to more attacks, if you allow a filter
> to be accessible from the net.

I think you meant something else. If a service is not running, you won't
open yourself to more attacks. Is that what you meant? Otherwise I'm not
sure I understand. Could you rephrase?

> No, I disagree. On a pure client system, there are no services running
> that are accessible from the net.

Ah.. here is the truth of the argument. A "pure" client system. You're a
purist - a minority in the desktop world. A "pure" system rarely
happens. People play network games and host games, people chat and send
files to each other, identd is needed in some rare circumstances. In
reality, there are very few pure client systems.

> That being the case, there's no
> added benefit at all, when you add a software that is (by its pure
> definition) accessible from the net.

everything is software. even the kernel. it's accessible from the net.
so what's your point? oh.. BTW.. all software sucks. some less than others.

> The packet filter is a piece
> of software that HAS to be accessed from the net.

I could also argue that it is not a piece of software, but part of the
kernel itself (talking about iptables/ipchains - not sure about
netfilters they might be userspace). Thus, the packet filter would be a
portion of software that is *already* being accessed from the net.

--
gentoo-user@gentoo.org mailing list