| Darxus on Tue, 26 Feb 2002 13:50:19 +0100 |
|
On 02/25, Jon Galt wrote: > But here's a scenario he has suggested: > "But still I suppose that if you had a dedicated server, say > for HTTP, then your machine has no business listening to > anything except HTTP coming in on port 80. If you set it up > so that it responds only to HTTP on port 80, then a firewall > between it and the Internet could not add anything but delay. > Assuming, that is, that I know what I'm talking about." I know there are knowledgable people who choose to have their webserver inside their firewall, and only allow connections to port 80. Honestly, if you have a Linux box that is *only* listening on ports that you need it to be listening on (just port 80 in this case), *and* you keep all the software up to date on that machine (especially the webserver (probably apache), and especially security patch), than you are better off than most people. But there is always the possibility, in a case like that (web server behind firewall with only port 80 open) that an apache exploit could be discovered and someone could hack into your webserver via that single open port 80, and then they would have full access to your internal protected lan. Also, having a dedicated firewall is better than having one that also runs, say, Apache. The more you run on it, the more possibilities of exploits and hacking. But having a non-dedicated firewall is also better than having no firewall. Most important, be sure that every box you have access to is only listening on ports that they need to. When you portscan a box, if you see a port open, figure out why it's open, and if you don't need it open, or you don't know what it's for, figure out how to close it. And always keep less secure operating systems behind a firewall if possible. > Now this is useful. What can be done with simply an open port number? > Also, is there software I can get for my Linux box that I can use to port > scan my Windows box? What about a packet sniffer (?) to watch all traffic > on and into/out of my network? nmap: http://www.insecure.org/nmap/ - there are packages for most linux distros. I feel a need to say this again: If you're running Debian, it's real easy to just run "apt-get update;apt-get dist-upgrade" every day and be up to date on security patches every day. I think recent versions of RedHat have something equivalent. These are very good things. -- "Every man, woman and child on the face of this earth is at the mercy of chaos." - a maxwell smart movie http://www.ChaosReigns.com Attachment:
pgp3cWkBxR0dJ.pgp
|
|