On 4/28/05, Roger Grosswiler <roger(a)gwch.net> wrote:
>> Hi,
>>
>> Taking again the thread about the SSH brute force attacks, but with a
>> question.
>>
>> We have a nice tool called system-config-securitylevel, why isn't it
>> possible to indicate some ips or ranges there an click to "stealth"
so,
>> this port is just visible to the indicated ip-adresses??
>>
>> Roger
>>
>
> Because it's a simple gui tool designed to be simple.
>
you're right at this point, it's adding a function more., but adding this
function would not mean crashing usability
of this tool, i think. It's just an senseful option more, that keeps EASY the users
computers more secure - specially
on servers.
You have to be able to parse things like did you want to NOT allow
127.0.0.1 to connect. Did you mean 204.121.0.0/32 and not
204.121.0.0/16.. it is not a trivial task to do right for the new
person. Or the fact that you put the -A INPUT -s 0.0.0.0/0 -j ACCEPT
before all your drops.
A tool that does this would be great, but I think its complexity would
be more than can be packaged simply into the installer :(. Even
putting this in an 'expert' section is more likely to shoot one in the
foot. [I have had to clean up more systems because the person thought
they had secured it and it was actually worse off.]
--
Stephen J Smoogen.
CSIRT/Linux System Administrator