From owner-freebsd-security  Thu Jun 14 22:12:54 2001
Delivered-To: freebsd-security@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id ED76A37B405
	for <freebsd-security@freebsd.org>; Thu, 14 Jun 2001 22:12:49 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: (qmail 23787 invoked by uid 1000); 15 Jun 2001 05:12:48 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 15 Jun 2001 05:12:48 -0000
Date: Fri, 15 Jun 2001 00:12:48 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Cc: "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org>
Subject: Re: apache security question
In-Reply-To: <20010614214542.K17514@speedy.gsinet>
Message-ID: <20010615000706.M23752-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Thu, 14 Jun 2001, Gerhard Sittig wrote:

> On Thu, Jun 14, 2001 at 21:22 +0200, Karsten W. Rohrbach wrote:
> > why? for a web-only server? *grin*
> > the only service that listens is httpd on tcp port 80, for
> > severe network scanning and synflood handling consult the
> > blackhole(4) man page.
>
> Consulting the "man 4 blackhole" output was exactly what I did
> lately when the TCP_RESTRICT_RST setting became obsolete.  Your
> statement made me curious, because I remembered the WARNING
> section:

In actuality, using TCP_RESTICT_RST, blackhole, or ipfw isn't really going
to help you weather an attack any better than doing nothing; the built-in
ratelimiting features handle this already.

restrict_rst and blackhole can, at best, frustrate people probing your
network, but little more.  ipfw could protect other hosts if we're talking
about a router, but can't help a FreeBSD box it's running on much.*

So... don't worry about it.  (Or filter upstream if you are being attacked
and are forced to worry about it.)

Mike "Silby" Silbersack

* Some attack tools have recognizeable signatures, you could block those
with ipfw.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message