l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2006 Sep 21 00:53

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] security dilemma
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] security dilemma

On Wed, Sep 20, 2006 at 09:19:25PM -0700, Cylar Z wrote:
> Hey all,
> I have a security-related question and would like to
> solicit your advice on the best way to lock down my
> system, given the situation.
> My Redhat system is on a network, has a public static
> IP, and is exposed to the full traffic of the Internet
> - no DMZ or router/firewall protection. (I've
> considered adding a small router in front of it, but
> that is a separate issue.)
> I'm using an iptables firewall along with TCP
> wrappers. These two measures bolster system security
> by only allowing connections from a limited set of IP
> addresses where I and/or authorized users should be
> coming from while accessing the system remotely via
> SSH2. (All other connections are automatically denied
> by the firewall). I've also implemented some secondary
> security measures, but TCP wrappers and the firewall
> stop over 99% of break-in attempts.
> Here's the issue. As with many broadband customers, my
> IP changes occasionally, and every so often, my
> assigned client IP address falls outside of the range
> defined by the firewall and/or TCP wrappers on the
> remote Red Hat server.

I think you rely too much on the firewall to provide security. You
should not feel bad about opening the firewall for ports that go to
services that are secure anyway (such as sshd), even to a range of IP
addresses that you know for a fact are untrustworthy. If you are using
other, secure mechanisms to access the box, your lack of firewalling on
that port will make precious little difference.

You /could/ leave firewalling as is for sshd, and have a separate
service listening on an unfirewalled port that uses a different
authentication method that, once successfully authenticated, would
switch sshd's firewalling to only accept from /that/ IP address from now
on. The trouble with this is that the "extra security" is purely
illusory. It boils down to exactly the same level of security as just
using that same method of authentication on your unfirewalled sshd.

You could add automatic firewall rules that detect activity such as
portscanning, or connection attempts to illegitimate ports, and
automatically block further packets from that IP.

...I'm not sure quite what you mean by "TCP wrappers". To me, that
brings up images of xinetd and the like. And I don't see how wrapping a
TCP service with another TCP service would make anything more secure...

Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...
vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.