Linh Dang <[EMAIL PROTECTED]> writes: > Thank you very much! > > Another question if you don't mind? > > Someone mentionned ipfwadm. What do you think about it, how does it > compare > to tcpwrapper? Does one has to recompile the kernel to use ipfwadm ?
Yes, your kernel has to be compiled to support ipfwadm; no, I don't know whether or not the default Debian kernel is. The basic difference is where they operate. tcpwrappers operates at the socket level; it gets invoked after a network connection has been made but before that connection is passed off to the actual program that does telnet logins, or accepts mail, or ... ipfwadm puts its blocks in at the kernel level, so that packets trying to establish network connections you don't want never make it through to the kernel logic that would establish a connection. ipfwadm is most useful when your box is acting as a router, and you wish to protect machines on one side of the network from machines on the other side. But it can also be useful in your case. As for which is "more secure" - ipfwadm is certainly the one to use for the ultra-paranoid. It is possible that a SYN-flood type DOS attack (an attack where some malicious person tries to initiate as many connections as possible in rapid succession - the idea isn't to break in, but just to bog down your machine and so make your life miserable) could get through on a tcpwrapper-protected machine and be blocked on an ipfwadm-secured machine. However, since you are leaving port 80 (http connections) open anyway, the attacker would just have to target that port in their SYN flood. Also, in my case my machine is just connected through a phone line, and so packets of any kind can only reach my machine comparatively slowly. tcpwrappers provides for more extensive logging of what's going on in my experience; I have this silly idea that some day I'm going to get to file a CERT report because some hacker who'd hacked their way across many systems wound up in my logs. Hasn't happened yet, but you never know... By the way, that hosts.deny line I use is now: ALL: [EMAIL PROTECTED] : rfc931 : spawn ((echo %c %a contacting %d; /bin/netstat --inet -n; traceroute -p 31434 %a) 2>&1 | mail root) The "echo" and dumping to a file in /tmp were earlier debugging features I meant to change but had never gotten around to.
