[vox] security dilemma
Micah J. Cowan
micah at cowan.name
Thu Sep 21 00:07:17 PDT 2006
On Wed, Sep 20, 2006 at 09:19:25PM -0700, Cylar Z wrote:
> Hey all,
>
> I have a security-related question and would like to
> solicit your advice on the best way to lock down my
> system, given the situation.
>
> My Redhat system is on a network, has a public static
> IP, and is exposed to the full traffic of the Internet
> - no DMZ or router/firewall protection. (I've
> considered adding a small router in front of it, but
> that is a separate issue.)
>
> I'm using an iptables firewall along with TCP
> wrappers. These two measures bolster system security
> by only allowing connections from a limited set of IP
> addresses where I and/or authorized users should be
> coming from while accessing the system remotely via
> SSH2. (All other connections are automatically denied
> by the firewall). I've also implemented some secondary
> security measures, but TCP wrappers and the firewall
> stop over 99% of break-in attempts.
>
> Here's the issue. As with many broadband customers, my
> IP changes occasionally, and every so often, my
> assigned client IP address falls outside of the range
> defined by the firewall and/or TCP wrappers on the
> remote Red Hat server.
I think you rely too much on the firewall to provide security. You
should not feel bad about opening the firewall for ports that go to
services that are secure anyway (such as sshd), even to a range of IP
addresses that you know for a fact are untrustworthy. If you are using
other, secure mechanisms to access the box, your lack of firewalling on
that port will make precious little difference.
You /could/ leave firewalling as is for sshd, and have a separate
service listening on an unfirewalled port that uses a different
authentication method that, once successfully authenticated, would
switch sshd's firewalling to only accept from /that/ IP address from now
on. The trouble with this is that the "extra security" is purely
illusory. It boils down to exactly the same level of security as just
using that same method of authentication on your unfirewalled sshd.
You could add automatic firewall rules that detect activity such as
portscanning, or connection attempts to illegitimate ports, and
automatically block further packets from that IP.
...I'm not sure quite what you mean by "TCP wrappers". To me, that
brings up images of xinetd and the like. And I don't see how wrapping a
TCP service with another TCP service would make anything more secure...
--
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...
http://micah.cowan.name/
More information about the vox
mailing list