From owner-freebsd-questions@FreeBSD.ORG Fri Apr 18 18:31:01 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA28B106566C for ; Fri, 18 Apr 2008 18:31:01 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from snoogles.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 51EE98FC14 for ; Fri, 18 Apr 2008 18:31:01 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (localhost [127.0.0.1]) by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id 117131CC91; Fri, 18 Apr 2008 10:30:59 -0800 (AKDT) From: Mel To: freebsd-questions@freebsd.org Date: Fri, 18 Apr 2008 20:30:53 +0200 User-Agent: KMail/1.9.7 References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> In-Reply-To: <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200804182030.57588.fbsd.questions@rachie.is-a-geek.net> Cc: Paul Schmehl , Gary Newcombe Subject: Re: [SSHd] Limiting access from authorized IP's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2008 18:31:01 -0000 On Friday 18 April 2008 16:53:49 Paul Schmehl wrote: > I see this statement all the time, and I wonder why. What does a firewall > on an individual host accomplish? ... > Firewalls are for preventing access to running services. By definition, if > you are running a service, you want it to be accessed. That's your assumption. First of all, firewalls are for preventing unwanted connections, this is not necessarily the same as access to running services. Prime examples: cable modem and windows hosts broadcast spam on an ISP's network, ping floods. User scans [1], vulnerability scans, open relay scanners, spammers fall into running services category. > So firewalls are > self-defeating or completely useless at the host level **unless** you don't > know what you're doing. Or, when you do know what you're doing and don't see the firewall as a single entity but as a node in the security tree, where tools like grok come in as well. > For an individual host it makes a great deal more sense to only run those > services you intend to use ***and keep them up to date and properly > configured***. It is an illusion to think that the patch always comes before the exposure. Secondly, pending the ammount of services you offer, this can be a full task and especially for the "hobby" category, it is more time-efficient to shut off any unauthorized traffic to begin with. Say, some webapp allows uploading a file and executing it. It is then quite easy to add a daemon to your server, that you have not configured. With a firewall in default block mode, this daemon does not receive connections. Even when the patch is released before exposure, you could be, say sleeping and it can be too late. For some this is paranoia, for others common sense. > Firewalls are too often crutches for people that don't want to learn how to > properly maintain a host. Or save time, till it can be properly done. You're also assuming that you have full control over installed software. The "hobby" case you mention or a hosting environment this isn't always reality. > # sockstat | grep cupsd > root cupsd 6208 3 stream /var/run/cups.sock > root cupsd 6208 4 udp4 *:631 *:* Sure, block in proto udp from any to any port 631 Works for nfs and rpc as well :) > [4] # grep sshd /etc/defaults/rc.conf > sshd_enable="NO" # Enable sshd No? Surely you're not using inetd? sshd has tcp wrapper support built in, so you can set everything from /etc/ssh/sshd_config, including the port and using tcp wrappers. So in the event, inetd is vulnerable, sshd won't be. [1] # cat /etc/pf/grok-ssh.conf file "/var/log/auth.log" { type "ssh-illegal-user" { match = "Invalid user %USERNAME% from %IP%"; threshold = 5; # 5 hits ... key = "%IP%"; # from a single ip ... interval = 60; # in 1 minutes reaction = "/sbin/pfctl -t scans -Tadd %IP%"; }; type "ssh-scan-possible" { match = "Did not receive identification string from %IP%"; threshold = 3; interval = 60; reaction = "/sbin/pfctl -t scans -Tadd %IP%"; }; }; -- Mel Problem with today's modular software: they start with the modules and never get to the software part.