Rich Kulawiec on 1 Aug 2017 05:59:02 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices

On Wed, Jul 26, 2017 at 06:13:57PM -0400, Steve Litt wrote:
> Just to be sure: Your pf.conf is just to convey what to block, right?

Yes.  It's an outline, a starting point, no better.  Writing a real
pf.conf requires detailed knowledge of the computing/networking
environment and some careful thought.

> If you know some way I can put a pf firewall on my normal Linux boxes,
> I'd love it.

I recommend against that.  If you're going to defend Linux boxes,
put a *BSD box with pf in front of them.   (Preferably on a non-Intel
architecture.)  This not only puts a far more hardened host in
the data path, but it brings some OS diversity and, if you really
do use a non-Intel architecture, some CPU diversity.  (And of course
you should use the firewall functionality on your other hosts as well.)
Given the very low hardware requirements for such a BSD system
(OpenBSD and pf are ridiculously efficient and resource-frugal) you
can probably get away with any old system you have lying around.

This means that an attacker is now confronted with two different
firewall implementations on two different operations systems on
two different architectures.  And this in turn means that when, not if,
there is a zero-day that involves one of those, you still have another
one that's not affected.  This can turn a disastrous day into merely
an annoying day.


Philadelphia Linux Users Group         --
Announcements -
General Discussion  --