NTP, ntpdate, and ISP-based firewall

Thu Mar 4 22:21:26 UTC 2004

Am Do, den 04.03.2004 schrieb jdow um 22:51:

> > No, there is no difference between REJECT and DROP in that issue. To log
> > REJECTs and DROPs (I dislike DROP much) you have to set up proper
> > logging rules with iptables. As an example you might log events with
> > something like:
> > 
> > iptables -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags
> > FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 10/min -j LOG
> > --log-prefix "NMAP-XMAS SCAN: " --log-level 7 --log-tcp-options
> > --log-ip-options
> > 
> > DROP is just "silent" against the remote initiator and let it timeout
> > while REJECT sends back a valid rejection information.
> > 
> > Alexander
> 
> Alexander, why do you want to be nice to those who would probe your
> barriers and tell them you are there? If THEY are nasty enough to
> probe me then I am nasty enough to let them timeout like unrequited
> love.
> 
> {^_^}

Jane,

it is not because of (wannabe) attackers or script kids, but because of
accidentally or unnoticed misconfigurations or making it harder to find
out errors. If you just fear to give away too much information about
your system with a REJECT and use DROP to make it harder to guess, it
would be only "security by obfuscation". :) Me - if I were an attacker
kid - would find silent hosts even more interesting than those saying
"no service here".

But this is total different topic, very often discussed on the
appropriate forums (usenet and web).

Just my 2¢ (european cent:)

Alexander

-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2174.nptl
Sirendipity 23:14:55 up 14 days, 48 users, load average: 0.53, 0.43, 
                   [ Γνωθι σ'αυτον - gnothi seauton ]
             my life is a planetarium - and you are the stars