On 7/22/2012 11:09 AM, lina wrote:
On Sun, Jul 22, 2012 at 11:53 PM, Brian <a...@cityscape.co.uk> wrote:
On Sun 22 Jul 2012 at 22:01:50 +0800, lina wrote:
On Sun, Jul 22, 2012 at 7:32 PM, Brian <a...@cityscape.co.uk> wrote:
Heaven above knows why you need a firewall. These services are quite
capable of getting on with life without iptables being involved. So are
you.
Just today one website I cared about failed to open, certainly it's
under attack.
I don't know what other people are capable of, I feel they are capable
of doing lots of things.
Frankly speaking I don't have much energy/channel to arm myself some
intense knowledge to meet some potential defense requirement
(sometimes I read something, but mainly to forget later.).
so the only way I can do now is to understand something very
basic.gradually and patiently, perhaps 10 years later,
and I don't have some strong security feelings, if something wrong
with the laptop, I guess I will unavoidably freak out and at that time
definitely some days will waste.
Let's take a look at what you are doing. I'll simplify it a bit but
hopefully not too much as to distort your intentions.
1. You have two tcp services which you offer on the network, ssh and a
webserver. Other services are available to localhost only. So the
only way the outside can communicate with your machine is through
ports 22 and 80.
2. You use iptables to reject all connections. This effectively means
the services on ports 22 and 80 become unavailable, which does not
suit you.
3. You now poke two holes in the firewall to reverse what you did in 2.
Now you can consider what you have achieved. Sticking at 1. gives you
what you have at 3. In what way have improved security on the machine?
so now is okay?! (if I catch correctly, this firewall actually is
making no big differences here?)
Thanks,
In general, it often makes sense to have everything set to be secure. If
there are two things you can do, and it makes sense to do both, go ahead
(suspenders *and *belt). Sometimes, it doesn't make sense, such as
times when there's a fork in the road, and you have to choose one way or
the other. It might not make sense if doing multiple things caused a
significant performance hit.
But sometimes an exploit is found in one of the things, and if you are
doing that thing, and nothing else, then your system is vulnerable. If
you are doing two separate things and one is compromised, then hopefully
you are still protected by the other.
While you are only running two things that use an open port, you are
compromised only if there is a vulnerability in one of them. In this
case, iptables adds no extra security.
However, I have noticed a tendency for things to be installed or started
that open new ports, and it's easy to overlook them. Aptitude in
particular will install extra packages that you don't need or want.
So, keep an eye open at all times, and one thing you can do is every now
and then look at log files and config files. If you do run *iptables*,
look at all the rules now and then, and see if one has been added that
you didn't add yourself, and ask yourself why it's there. Maybe you are
running World of Warcraft under WINE, and installing it opens up port
3724. You might leave it, or you might want to close it. (Wow can use
port 80.) But if you see something you don't recognize, do what you
did, and Google it or ask someone.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/500c2e00.1020...@allums.com
