Am 29.07.2012 11:48, schrieb Mark Alan: >> if you do not trust you OUTGOING traffic the only valid >> reason is that you doubt your machine is comprimised > > [The problem, as said in another email, is (mostly) solved] > > - I do not trust anything connected 24h to the Internet
then shut it down do not run things you do not trust > - I do not trust anything in a Xen VPS that sits in a datacenter > owned / managed / maintained by I do not know exactly who so get a root server instead let things maintain from people you do not trust > - I do not trust any software, open source or otherwise, that has a > level of complexity high enough to not be fully understood by the > installer, maintainer, user, etc. a well made postfix setup is 100% understandable if your mailserver setup is NOT understodd by you SHUT IT DOWN > [ Just google for "OpenSSH FBI backdoor". Its IPSEC stack was a > relatively small but nevertheless highly sensitive piece of software. > Look how it managed to elude, for so many years, so many security > conscious people, including most of the more security conscious > developers around: the developers of the OpenBSD - the "Ultra-Secure > Operating System". ] completly off-topic > This 'thing' just become so complex and with so many variables, that > it became impossible to know them all and to account for them all. > We can only reduce the size of the target and make it a little more > difficult to break in. you make it not difficult to break in with OUTGPING rate controls > And that is why we keep an eye on syslog and cousins and ask for help > here on this list when we start to see firewall drop outs related with > Postfix. keep your eye in intrusion events instead cripple down your network stack >> and NO a synflood will never come in the OUTPUT stream >> except your machine is compromised, but if so shut it down > > I am afraid that time will show you otherwise i am afraid this will not happen because my machines are not partly out of control like yours > These systems are not 'simple', not even 'complicated', they are real > 'complex systems' not really > And, worse, with so many knowledgeable people with time and resources to > invest into breaking these systems, these are now real 'complex adaptive > systems' if knowledgeable people maintain them you are mostly safe not knowledgeable people should better not run public servers because in the case of a intrusion or conig mistake the are doing damage also on thir parties
signature.asc
Description: OpenPGP digital signature
