| Tobias DiPasquale on Thu, 30 Jan 2003 07:50:30 -0500 |
|
On Thu, 2003-01-30 at 06:50, Jeff Abrahamson wrote: > All the discussion about firewalls aside, if a machine is running no > services available to the outside world, how can an attacker break in? > > That is, suppose I make the naive argument that I only run sshd on > port 22, so all other ports get denied anyway by dint of having > nothing listening (not even inetd). Why bother with ip tables beyond > masquerading? The firewall would be of no help in that situation, other than to only allow traffic from specific places to connect to ssh. Exploits for vulnerabilities in whatever sshd you're running, if they came from an acceptable location, would be just as effective as if you weren't running iptables. The firewall is the outer layer in the onion approach to security. It allows you to better mitigate DoS attacks by refusing traffic from offending hosts/network blocks. iptables is stateful, so it remembers information about a session and therefore better allows the sysadmin to determine when an attack is occuring than its predecessor, ipchains. However, as we've seen many times in the past at big places, if you're running one service and only that one service (a big Webserver, or a database server, etc), and the machine is accessible, then it only matters how up to date the patches are on that machine. In that situation, a firewall can only help you after you've already been attacked, but it might help you determine an attack has occured more efficiently than if you weren't running one. -- Tobias DiPasquale 88FA 30C9 1E63 CFE2 CBD8 37C4 DA1C E2BF 1D26 F036 http://cbcg.net/ Attachment:
signature.asc
|
|