Date: Fri, 18 Apr 2008 21:37:45 +0200 From: Mel <fbsd.questions@rachie.is-a-geek.net> To: freebsd-questions@freebsd.org Cc: Paul Schmehl <pauls@utdallas.edu> Subject: Re: [SSHd] Limiting access from authorized IP's Message-ID: <200804182137.47157.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <4BCB6B9718ABAC4774F5506E@utd65257.utdallas.edu> References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <200804182030.57588.fbsd.questions@rachie.is-a-geek.net> <4BCB6B9718ABAC4774F5506E@utd65257.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 18 April 2008 20:53:37 Paul Schmehl wrote:
> --On Friday, April 18, 2008 20:30:53 +0200 Mel
>
> <fbsd.questions@rachie.is-a-geek.net> wrote:
> > On Friday 18 April 2008 16:53:49 Paul Schmehl wrote:
> >> Firewalls are for preventing access to running services. By definition,
> >> if you are running a service, you want it to be accessed.
> >
> > That's your assumption.
> > First of all, firewalls are for preventing unwanted connections, this is
> > not necessarily the same as access to running services.
> > Prime examples: cable modem and windows hosts broadcast spam on an ISP's
> > network, ping floods. User scans [1], vulnerability scans, open relay
> > scanners, spammers fall into running services category.
>
> They don't fall into the category of services that you authorized or
> approved of. Keep in mind, we're talking about *hosts*, individual
> workstations if you will, not enterprises.
Well, I don't particularly like someone using my bandwidth to find out if I
changed my mailserver config to such that I would now be an open relay, every
10-20 minutes for weeks on end, so I want it to be over with at the TCP
level, not at the daemon level.
Individual hosts are exactly the target for these scans. Same with the
webserver, there are a great number of requests that seperate a scan from a
legitimate user.
> >> For an individual host it makes a great deal more sense to only run
> >> those services you intend to use ***and keep them up to date and
> >> properly configured***.
> >
> > It is an illusion to think that the patch always comes before the
> > exposure.
>
> It's a worse illusion to believe the firewall is going to help. If the
> service is exposed and compromised, the firewall wouldn't be blocking it
> anyway.
In a targetted scenario, this is correct. However, scans precede the attack
and one example I gave with grok, you can limit the chances that the attacker
gets the information he needs to exploit the bug he's looking for.
> Furthermore, if the host is compromised, the firewall is one of the
> first things that will be disabled.
That would require root. So there's something else wrong in the chain, or it
is one of those unfortunate services that run as root.
> > Secondly, pending the ammount of services you offer, this can be a full
> > task and especially for the "hobby" category, it is more time-efficient
> > to shut off any unauthorized traffic to begin with.
> > Say, some webapp allows uploading a file and executing it. It is then
> > quite easy to add a daemon to your server, that you have not configured.
> > With a firewall in default block mode, this daemon does not receive
> > connections. Even when the patch is released before exposure, you could
> > be, say sleeping and it can be too late. For some this is paranoia, for
> > others common sense.
>
> Again, the firewall is providing a false sense of security in exactly the
> scenario you propose. Where do you think hacker's daemons are running
> these days? **On the ports that you can't close on the firewall**.
I'm curious which those are.
>
> >> [4] # grep sshd /etc/defaults/rc.conf
> >> sshd_enable="NO" # Enable sshd
> >
> > No? Surely you're not using inetd?
>
> I haven't used inetd in years. I'm not sure why you think I would be.
Well, since sshd_enable is set to no, I assumed inetd would be where you've
started it.
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804182137.47157.fbsd.questions>