Date: Fri, 15 Jun 2001 00:12:48 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Gerhard Sittig <Gerhard.Sittig@gmx.net> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org> Subject: Re: apache security question Message-ID: <20010615000706.M23752-100000@achilles.silby.com> In-Reply-To: <20010614214542.K17514@speedy.gsinet>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 14 Jun 2001, Gerhard Sittig wrote: > On Thu, Jun 14, 2001 at 21:22 +0200, Karsten W. Rohrbach wrote: > > why? for a web-only server? *grin* > > the only service that listens is httpd on tcp port 80, for > > severe network scanning and synflood handling consult the > > blackhole(4) man page. > > Consulting the "man 4 blackhole" output was exactly what I did > lately when the TCP_RESTRICT_RST setting became obsolete. Your > statement made me curious, because I remembered the WARNING > section: In actuality, using TCP_RESTICT_RST, blackhole, or ipfw isn't really going to help you weather an attack any better than doing nothing; the built-in ratelimiting features handle this already. restrict_rst and blackhole can, at best, frustrate people probing your network, but little more. ipfw could protect other hosts if we're talking about a router, but can't help a FreeBSD box it's running on much.* So... don't worry about it. (Or filter upstream if you are being attacked and are forced to worry about it.) Mike "Silby" Silbersack * Some attack tools have recognizeable signatures, you could block those with ipfw. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010615000706.M23752-100000>