Printable View
You're pretty much covered with these post, I would just add one thing. Put the firewall and the apache server on seperate boxes if you have the budget. That way your firewall doesn't have programs (vulnerabilities) running that aren't necessary to firewall operations. It doesn't take much CPU firepower for a little ipfilter (etc) box. No Gnome, no xwidows just a firewall.
I don't have enough money for a separate firewall box. But I run the server with no GUI and I make sure that I never leave root logged on for to long. So hopefully the chances of being successfully hacked are pretty slim.
I asked this same question a while back, and the AO community came to the same conclusion with some useful info and links.
Go here http://www.antionline.com/showthread...803#post610803
Catch's response led me to a couple of questions that maybe someone could answer.
Since most programs (including servers) only listen on certain ports that you can specify in the config file, could one not just set the default at deny all incoming and outgoing, except for the port the program is using? This should have basically the same effect, and since a server should not have a bunch of programs needing open ports to the outside, not many would need to be opened.Quote:
Just like Zone Alarm can prevent specific programs from sending connections and IPF cannot...
I thought a "closed" was any port not accepting connections, and a "stealth" port was just one set to drop requests rather than deny them. Wouldn't the above situation I described fit this situation?Quote:
you should close all the ports you don't want open rather than filtering them
Pretty much any program can listen on or connect to whatever port you tell them to, so this method does not work. besides, maybe you want to allow your web browser to connect to port 80, but you don't want trojan_giving_system_informtion_to_a_website.exe to connect to port 80.Quote:
Since most programs (including servers) only listen on certain ports that you can specify in the config file, could one not just set the default at deny all incoming and outgoing, except for the port the program is using? This should have basically the same effect, and since a server should not have a bunch of programs needing open ports to the outside, not many would need to be opened.
Stealthing under many situations can actually give back _more_ information than just having the port closed, especially on server system. Stealthing is just another farce from the Steve Gibson camp. If you have a system that is listening on port 80 and stealthing everything else, the attacker obviously knows that a system exists there, and using timing attacks a sophistocated attack can even determine the type of firewall you are running as stealthing adds more latency than having the port just not being open. This latency may be calculated be using a carefully constructed request to any open services. Once this is accomplished, the attacker can make a good guess about the firewall based on this data.Quote:
I thought a "closed" was any port not accepting connections, and a "stealth" port was just one set to drop requests rather than deny them. Wouldn't the above situation I described fit this situation?
catch
I had no idea that stealthing could lead to the attacker identifying the firewall you employ, thanks. However, the whole point of a trojan is that once it is in your system, it can disable and then evade the firewall, right? I agree that firewalls have different features and the owner/admin should be aware of this, but I still believe that in most cases its configuration is much more important than it missing a feature or two.
It depends on the trojan and on the firewall and the firewall location. Configuration is where assurances come in. Assurances include things like configuration documentation, what good is the most functional firewall if you can't determine what the correct configurations are? other firewall systems will actually inform you of what type of risks are involved with the current configuration, etc, etc.Quote:
Originally posted here by KeyserSoze
I had no idea that stealthing could lead to the attacker identifying the firewall you employ, thanks. However, the whole point of a trojan is that once it is in your system, it can disable and then evade the firewall, right? I agree that firewalls have different features and the owner/admin should be aware of this, but I still believe that in most cases its configuration is much more important than it missing a feature or two.
When selecting a system or subsystem it is always important to consider capabilities and assurances, don't worry about configuration. With sufficient assurances the configuration will be correct, and with insufficient capabilities, it doesn't matter how well you have it configured, it still won't do what you want. The "a system is only as secure as the admin" argument is made by people who lack sufficient understanding of the systems in question to put forth any tangible points. This argument is most notable when dealing with operating systems.
Also, consider this argument with cars, a car is only as good as its driver. Well, is this correct? Is a better driver going to allow a porsche 911 to seat 12 comfortably? Of course not. Is a good driver going to enable a city bus to do 0-60 in under 4 seconds? Again of course not. Here too assurances come into play as well, with many top end performance cars, driving school is included in the purchase of the car, kinda like good documentation/training that is included with high assurance computer systems. :)
catch
iptables is pretty good or else u wanna code a custome one!
probably suse comes with it!(mean iptables)