| Lee H. Marzke on 1 Aug 2017 06:51:43 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] SSH Hardening : Request for Best Practices |
I'm not saying it's trivial, but if you want something easier than setting up pf from scratch , I'd look at pfSense distro, which is mostly GUI driven, and has good alias support which is great at making fw rules easier to manage/read. Based on Rich's recommendations, I'm going to look into the pfBlock GEOIP blocking module. https://turbofuture.com/internet/How-to-Configure-pfBlocker-An-IP-Block-List-and-Country-Block-Package-for-pfSense I've not used it so far, but it makes sense to block many countries that I don't expect traffic from. Lee ----- Original Message ----- > From: "Rich Kulawiec" <rsk@gsp.org> > To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org> > Sent: Tuesday, August 1, 2017 8:58:55 AM > Subject: Re: [PLUG] SSH Hardening : Request for Best Practices > On Wed, Jul 26, 2017 at 06:13:57PM -0400, Steve Litt wrote: >> Just to be sure: Your pf.conf is just to convey what to block, right? > > Yes. It's an outline, a starting point, no better. Writing a real > pf.conf requires detailed knowledge of the computing/networking > environment and some careful thought. > >> If you know some way I can put a pf firewall on my normal Linux boxes, >> I'd love it. > > I recommend against that. If you're going to defend Linux boxes, > put a *BSD box with pf in front of them. (Preferably on a non-Intel > architecture.) This not only puts a far more hardened host in > the data path, but it brings some OS diversity and, if you really > do use a non-Intel architecture, some CPU diversity. (And of course > you should use the firewall functionality on your other hosts as well.) > Given the very low hardware requirements for such a BSD system > (OpenBSD and pf are ridiculously efficient and resource-frugal) you > can probably get away with any old system you have lying around. > > This means that an attacker is now confronted with two different > firewall implementations on two different operations systems on > two different architectures. And this in turn means that when, not if, > there is a zero-day that involves one of those, you still have another > one that's not affected. This can turn a disastrous day into merely > an annoying day. > > ---rsk > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug -- "Between subtle shading and the absence of light lies the nuance of iqlusion..." - Kryptos Lee Marzke, lee@marzke.net http://marzke.net/lee/ IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug