Date: Fri, 15 Jun 2001 12:52:53 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Mike Silbersack <silby@silby.com> Cc: Gerhard Sittig <Gerhard.Sittig@gmx.net>, "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org> Subject: Re: apache security question Message-ID: <20010615125253.B75938@mail.webmonster.de> In-Reply-To: <20010615000706.M23752-100000@achilles.silby.com>; from silby@silby.com on Fri, Jun 15, 2001 at 12:12:48AM -0500 References: <20010614214542.K17514@speedy.gsinet> <20010615000706.M23752-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--p4qYPpj5QlsIQJ0K
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Mike Silbersack(silby@silby.com)@2001.06.15 00:12:48 +0000:
>=20
> On Thu, 14 Jun 2001, Gerhard Sittig wrote:
>=20
> > On Thu, Jun 14, 2001 at 21:22 +0200, Karsten W. Rohrbach wrote:
> > > why? for a web-only server? *grin*
> > > the only service that listens is httpd on tcp port 80, for
> > > severe network scanning and synflood handling consult the
> > > blackhole(4) man page.
> >
> > Consulting the "man 4 blackhole" output was exactly what I did
> > lately when the TCP_RESTRICT_RST setting became obsolete. Your
> > statement made me curious, because I remembered the WARNING
> > section:
>=20
> In actuality, using TCP_RESTICT_RST, blackhole, or ipfw isn't really going
> to help you weather an attack any better than doing nothing; the built-in
> ratelimiting features handle this already.
ratelimiting turned out to be too relaxed for several servers i got in
the field. was this changed from 4.2 to 4.3?
>=20
> restrict_rst and blackhole can, at best, frustrate people probing your
> network, but little more. ipfw could protect other hosts if we're talking
> about a router, but can't help a FreeBSD box it's running on much.*
i did not want to say that blackhole(4) is a replacement for ipf(4).
since the b0rkedness of the rule parser, ipfw(4) is not an option
anymore for me. try mathing multiple destination ports in one rule :-/
>=20
> So... don't worry about it. (Or filter upstream if you are being attacked
> and are forced to worry about it.)
that's exactly what i wrote in the original mail, would it not have been
removed.
> * Some attack tools have recognizeable signatures, you could block those
> with ipfw.
oh, yes, and snort or similar things on a gateway in front of it to see
new ones ;-)
/k
--=20
> <?print(strrev(join(" ",split("[123]","rekcaH3PHP2rehtonA1tsuJ"))));?>
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n=
et/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B=
F46
--p4qYPpj5QlsIQJ0K
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7KekFM0BPTilkv0YRAmdkAJ9u05TbH4gLt8HImWexOVRe9Sn8owCfSmDQ
JuYX+QFt4L+46FIRML3NTu8=
=z60e
-----END PGP SIGNATURE-----
--p4qYPpj5QlsIQJ0K--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010615125253.B75938>