[vox] Re: security dilemma

Cylar Z cylarz at yahoo.com
Thu Sep 21 23:44:02 PDT 2006


Thanks to all who wrote...I saw some excellent ideas
that I plan on researching this weekend and
implementing. I have some questions though...

>I think you rely too much on the firewall to provide
>security. You
>should not feel bad about opening the firewall for
>ports that go to
>services that are secure anyway (such as sshd), even
>to a range of IP
>addresses that you know for a fact are untrustworthy.


Wouldn't allowing the whole world access to my
unfirewalled SSH port just invite every hacker out
there to take a stab at breaking in? I had it set up
like that at one point and the system was receiving
over 700 break-in attempts daily. Granted I had
disabled direct root login and had
13-digit/alpha/symbol strong passwords, but it still
made me nervous. Already the firewall blocks every
port except SSH, web, and mail. And on the SSH port it
denies all incoming connections not from a
pre-approved address range. The problem I'm having is
that the dog barks not only at burglars, but also his
master.


>You could add automatic firewall rules that detect
>activity such as
>portscanning, or connection attempts to illegitimate
>ports, and
>automatically block further packets from that IP.

That sounds great. Where can I get more information on
how to do that?

>...I'm not sure quite what you mean by "TCP
wrappers". >To me, that
>brings up images of xinetd and the like. And I don't
>see how wrapping a
>TCP service with another TCP service would make
>anything more secure...

TCP wrappers uses /etc/hosts.allow and /etc/hosts.deny
to control what IP addresses are allowed to attempt a
login to the system. Even valid users are blocked if
they come from an IP that TCP wrappers hasn't been
told to allow in. I use it as a secondary measure to
stop anyone who manages to get past the firewall -
I've heard that a layered approach is best.

>Someone else mentioned it also, but I will say it
>again, using a 
>different port helps reduce the ammount of automated
>attacks that hit your 
>system. I use both port 22, and a different higher
>number port. I 
>firewall the use of port 22 to a smaller set of
>addresses and leave the higher 
>port open to the world. 

1. How can you force an incoming SSH connection to
switch ports like that?

2. Wouldn't a port scanner easily detect the
higher-numbered port? I thought that's what scanners
do; find ports that are open because they have
services listening on them. I don't understand how
having 2 ports open through the firewall instead of
one is helpful from a security standpoint. Maybe I'm
missing something.


>3) Run dyndns on your broadband connection, and use
>cron to re-resolve 
>your 
>IP on a regular basis, and update an iptables rule

You mean, in effect, have the server write its own
IPTABLES rules after it determines what my originating
IP address is? How would it know that? Remember, the
server is on a remote network, and it accepts my
incoming connection only because my originating IP is
within a range that the firewall has been programmed
to allow in. To my way of thinking, dyndns is for
servers that run on dynamic-ip connections. The
server's IP is static; it's my incoming connection
whose source address is subject to change.

Thanks, Matt



If you're going to appoint yourself judge, jury, and executioner, at least make sure you're handing down the correct judgements.


More information about the vox mailing list