Thomas Delrue on 2 Aug 2017 11:08:23 -0700
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
- From: Thomas Delrue <email@example.com>
- To: Rich Freeman <firstname.lastname@example.org>
- Subject: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
- Date: Wed, 02 Aug 2017 18:08:13 +0000
- Cc: Philadelphia Linux User's Group Discussion List <email@example.com>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:in-reply-to:references:mime-version:content-transfer-encoding :subject:to:cc:from:message-id; bh=75Ovj4EL7Fw3oZH8xxVKvezkIDa+XG31XLyVI1n0ixQ=; b=rFofnPJc+9VqQTiAKypVkj4tQXqKbiaOllOzz7SMmyfO6OPKakT7icW0dwKS0T14OR SFcJDtLqLX6nDmw6B8P3BQy5J4+gqMq3QLU82HKmHnYLzFJ/vBpx/ccPAD1fhQ44ElJa 3iC1LiaOI7vFvoZYi3xLVlPX6qRjmmaEok2WAb783NaWl0nA20sM9m45wB2fd+RjLRiL qT5QQcomvsJ88b1tlm0kOlBNVWLCu2/TM9uFkfgZhU1zIOH3APNhLF82c1ZqtciR+kIS Y/m4oaYthHfvogIsw+r6u9z7o01po1ag0VT03G4cr9wdO6A70glw8MVgxb+nFpahLSi3 gsSg==
- Reply-to: Philadelphia Linux User's Group Discussion List <firstname.lastname@example.org>
- Sender: "plug" <email@example.com>
On August 2, 2017 1:42:26 PM EDT, Rich Freeman <firstname.lastname@example.org> wrote:
On Wed, Aug 2, 2017 at 1:19 PM, Thomas Delrue <email@example.com> wrote:
I think his point is that you disallow everything by default and then only open up what your really need.
So, do you whitelist every individual web server you browse? Oh, and
I assume you proxy those requests to check the URLs because one of
those virtual hosts could be also hosting malware on some other
And if you just blindly accept http everything then boom, there is the
path that malware can use to contact the command/control server.
I have to imagine that outbound traffic is VERY diverse. This is why
I think people tend to open things up.
Sure, it is a no-brainer to do this inbound, but who doesn't already do that?
Believe it or not but I actually do have something along those lines in place. It's more complex than just this but once running, it's rather nice (and to rsk's point, hardly any maintenance).
(Sent from my mobile device, please forgive brevity or typos.)
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug