| Rich Kulawiec on 1 Aug 2017 05:59:02 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] SSH Hardening : Request for Best Practices |
On Wed, Jul 26, 2017 at 06:13:57PM -0400, Steve Litt wrote: > Just to be sure: Your pf.conf is just to convey what to block, right? Yes. It's an outline, a starting point, no better. Writing a real pf.conf requires detailed knowledge of the computing/networking environment and some careful thought. > If you know some way I can put a pf firewall on my normal Linux boxes, > I'd love it. I recommend against that. If you're going to defend Linux boxes, put a *BSD box with pf in front of them. (Preferably on a non-Intel architecture.) This not only puts a far more hardened host in the data path, but it brings some OS diversity and, if you really do use a non-Intel architecture, some CPU diversity. (And of course you should use the firewall functionality on your other hosts as well.) Given the very low hardware requirements for such a BSD system (OpenBSD and pf are ridiculously efficient and resource-frugal) you can probably get away with any old system you have lying around. This means that an attacker is now confronted with two different firewall implementations on two different operations systems on two different architectures. And this in turn means that when, not if, there is a zero-day that involves one of those, you still have another one that's not affected. This can turn a disastrous day into merely an annoying day. ---rsk ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug