On 23 Jul, 2012, at 0:44, Mark Allums <m...@allums.com> wrote: > On 7/22/2012 11:09 AM, lina wrote: >> On Sun, Jul 22, 2012 at 11:53 PM, Brian <a...@cityscape.co.uk> wrote: >>> On Sun 22 Jul 2012 at 22:01:50 +0800, lina wrote: >>> >>>> On Sun, Jul 22, 2012 at 7:32 PM, Brian <a...@cityscape.co.uk> wrote: >>>>> Heaven above knows why you need a firewall. These services are quite >>>>> capable of getting on with life without iptables being involved. So are >>>>> you. >>>> Just today one website I cared about failed to open, certainly it's >>>> under attack. >>>> I don't know what other people are capable of, I feel they are capable >>>> of doing lots of things. >>>> Frankly speaking I don't have much energy/channel to arm myself some >>>> intense knowledge to meet some potential defense requirement >>>> (sometimes I read something, but mainly to forget later.). >>>> so the only way I can do now is to understand something very >>>> basic.gradually and patiently, perhaps 10 years later, >>>> and I don't have some strong security feelings, if something wrong >>>> with the laptop, I guess I will unavoidably freak out and at that time >>>> definitely some days will waste. >>> Let's take a look at what you are doing. I'll simplify it a bit but >>> hopefully not too much as to distort your intentions. >>> >>> 1. You have two tcp services which you offer on the network, ssh and a >>> webserver. Other services are available to localhost only. So the >>> only way the outside can communicate with your machine is through >>> ports 22 and 80. >>> >>> 2. You use iptables to reject all connections. This effectively means >>> the services on ports 22 and 80 become unavailable, which does not >>> suit you. >>> >>> 3. You now poke two holes in the firewall to reverse what you did in 2. >>> >>> Now you can consider what you have achieved. Sticking at 1. gives you >>> what you have at 3. In what way have improved security on the machine? >> so now is okay?! (if I catch correctly, this firewall actually is >> making no big differences here?) >> >> Thanks, > > In general, it often makes sense to have everything set to be secure. If > there are two things you can do, and it makes sense to do both, go ahead > (suspenders *and *belt). Sometimes, it doesn't make sense, such as times > when there's a fork in the road, and you have to choose one way or the other. > It might not make sense if doing multiple things caused a significant > performance hit. > > But sometimes an exploit is found in one of the things, and if you are doing > that thing, and nothing else, then your system is vulnerable. If you are > doing two separate things and one is compromised, then hopefully you are > still protected by the other. > > While you are only running two things that use an open port, you are > compromised only if there is a vulnerability in one of them. In this case, > iptables adds no extra security. > > However, I have noticed a tendency for things to be installed or started that > open new ports, and it's easy to overlook them. Aptitude in particular will > install extra packages that you don't need or want. > > So, keep an eye open at all times, and one thing you can do is every now and > then look at log files and config files. If you do run *iptables*, look at > all the rules now and then, and see if one has been added that you didn't add > yourself, and ask yourself why it's there. Maybe you are running World of > Warcraft under WINE, and installing it opens up port 3724. You might leave > it, or you might want to close it. (Wow can use port 80.) But if you see > something you don't recognize, do what you did, and Google it or ask someone.
Thanks for your suggestions. I didn't realize aptitude would install something else, and sometimes I treated the recommended as something complimentary. Many times I left the laptop to install and myself run outside to take a break. Thanks, > > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject > of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/500c2e00.1020...@allums.com > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8c6df8f7-5f17-4f84-96f0-bbf81892d...@gmail.com
