From owner-freebsd-security Thu Jun 14 22:12:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id ED76A37B405 for ; Thu, 14 Jun 2001 22:12:49 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 23787 invoked by uid 1000); 15 Jun 2001 05:12:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Jun 2001 05:12:48 -0000 Date: Fri, 15 Jun 2001 00:12:48 -0500 (CDT) From: Mike Silbersack To: Gerhard Sittig Cc: "'freebsd-security@freebsd.org'" Subject: Re: apache security question In-Reply-To: <20010614214542.K17514@speedy.gsinet> Message-ID: <20010615000706.M23752-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 14 Jun 2001, Gerhard Sittig wrote: > On Thu, Jun 14, 2001 at 21:22 +0200, Karsten W. Rohrbach wrote: > > why? for a web-only server? *grin* > > the only service that listens is httpd on tcp port 80, for > > severe network scanning and synflood handling consult the > > blackhole(4) man page. > > Consulting the "man 4 blackhole" output was exactly what I did > lately when the TCP_RESTRICT_RST setting became obsolete. Your > statement made me curious, because I remembered the WARNING > section: In actuality, using TCP_RESTICT_RST, blackhole, or ipfw isn't really going to help you weather an attack any better than doing nothing; the built-in ratelimiting features handle this already. restrict_rst and blackhole can, at best, frustrate people probing your network, but little more. ipfw could protect other hosts if we're talking about a router, but can't help a FreeBSD box it's running on much.* So... don't worry about it. (Or filter upstream if you are being attacked and are forced to worry about it.) Mike "Silby" Silbersack * Some attack tools have recognizeable signatures, you could block those with ipfw. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message