At 996072286s since epoch (07/25/01 12:44:46 -0400 UTC), Matthew Thompson wrote: > I was talking with a friend of mine who said it's better to have a policy > of DENY since that doesn't return any information and if someone is trying > to attack the machine on a closed port, it will take much longer to figure > it out. > > Are there any drawbacks to DENY? Is there a general consensus on this > subject?
In general, DENY is good because it does just what your friend says. This also makes things like portscans more difficult, as they take longer to complete (the scanner must timeout on all the ports, rather than just getting back an instant 'closed' message). There are some downsides, however, that you may want to consider. The first is that someone may notice that some ports on your box are open, but others simply time out. The most logical explanation for this is a firewall. This could make your machine more interesting to attack (a 'challenge', if you will), since you seem to be trying to protect something. OTOH, most script kiddies will just move on and scan somebody else. The other problem is that if you DENY certain oft-used services, you can cause problems. For example, if you DENY on the ident service port, machines trying to connect to you will timeout waiting for ident info. Some mail servers try to connect back to the ident port on a client before accepting mail. If your machine DENYs ident requests, it will have to wait for that timeout to occur before sending mail. Moral of that story is to make sure that you either run an ident server, or set it to REJECT. Most other stuff is safe to DENY (daytime, echo, telnet, ftp, www, finger, > 1024). The only real question is how you want to appear to the outside world, and that choice is up to you. Jason -- Jason Healy | [EMAIL PROTECTED] LogN Systems | http://www.logn.net/
