From owner-freebsd-security Fri Jun 15 3:52:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id D7B5237B411 for ; Fri, 15 Jun 2001 03:52:32 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 76952 invoked by uid 1000); 15 Jun 2001 10:52:53 -0000 Date: Fri, 15 Jun 2001 12:52:53 +0200 From: "Karsten W. Rohrbach" To: Mike Silbersack Cc: Gerhard Sittig , "'freebsd-security@freebsd.org'" Subject: Re: apache security question Message-ID: <20010615125253.B75938@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Mike Silbersack , Gerhard Sittig , "'freebsd-security@freebsd.org'" References: <20010614214542.K17514@speedy.gsinet> <20010615000706.M23752-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="p4qYPpj5QlsIQJ0K" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010615000706.M23752-100000@achilles.silby.com>; from silby@silby.com on Fri, Jun 15, 2001 at 12:12:48AM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --p4qYPpj5QlsIQJ0K Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Mike Silbersack(silby@silby.com)@2001.06.15 00:12:48 +0000: >=20 > On Thu, 14 Jun 2001, Gerhard Sittig wrote: >=20 > > On Thu, Jun 14, 2001 at 21:22 +0200, Karsten W. Rohrbach wrote: > > > why? for a web-only server? *grin* > > > the only service that listens is httpd on tcp port 80, for > > > severe network scanning and synflood handling consult the > > > blackhole(4) man page. > > > > Consulting the "man 4 blackhole" output was exactly what I did > > lately when the TCP_RESTRICT_RST setting became obsolete. Your > > statement made me curious, because I remembered the WARNING > > section: >=20 > In actuality, using TCP_RESTICT_RST, blackhole, or ipfw isn't really going > to help you weather an attack any better than doing nothing; the built-in > ratelimiting features handle this already. ratelimiting turned out to be too relaxed for several servers i got in the field. was this changed from 4.2 to 4.3? >=20 > restrict_rst and blackhole can, at best, frustrate people probing your > network, but little more. ipfw could protect other hosts if we're talking > about a router, but can't help a FreeBSD box it's running on much.* i did not want to say that blackhole(4) is a replacement for ipf(4). since the b0rkedness of the rule parser, ipfw(4) is not an option anymore for me. try mathing multiple destination ports in one rule :-/ >=20 > So... don't worry about it. (Or filter upstream if you are being attacked > and are forced to worry about it.) that's exactly what i wrote in the original mail, would it not have been removed. > * Some attack tools have recognizeable signatures, you could block those > with ipfw. oh, yes, and snort or similar things on a gateway in front of it to see new ones ;-) /k --=20 > KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --p4qYPpj5QlsIQJ0K Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7KekFM0BPTilkv0YRAmdkAJ9u05TbH4gLt8HImWexOVRe9Sn8owCfSmDQ JuYX+QFt4L+46FIRML3NTu8= =z60e -----END PGP SIGNATURE----- --p4qYPpj5QlsIQJ0K-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message