Shorewall for web server?

John Summerfied debian at herakles.homelinux.org
Wed Dec 28 17:15:30 UTC 2005 

Tim wrote:
> On Wed, 2005-12-28 at 21:49 +0800, John Summerfied wrote:
> 
>>I've seen a couple of cracked boxes. The first thing the intruders did
>>was install their own server, an IRC bot. It was licenced under the
>>GPL, and they complied with the licence, giving me the source code to
>>it.
>>
>>It's true the boxes had servers on them: one needs ssh for remote 
>>maintenance, and it's the nature of useful server (boxes) that they
>>run server software on them, but the intruders didn't use the existing
>>ervers except to gain entry.
> 
> 
> And how did they crack your box, and install stuff on it?  It'd be an

I didn't say whose box it was, and it was nothing to do with firewalls.


> exploit of a *service* of some kind.  If there was no service on the
> firewall (the only machine that they can directly access), then they
> couldn't install anything on it.  They have to have something to
> exploit.
I also didn't say it was the firewall. It wasn't, and the firewall 
wasn't at fault.

> 
> 
>>The protection offered by a firewall against incoming attacks is
>>vastly overrated.
> 
> 
> That's for sure, particularly if people believe that just having one
> protects them without any effort on their behalf, or that it's an
> absolute protection.  As I said, it's just another step towards greater
> security.
> 
> But a real, firewall-only, device between you and them does what the
> word suggests.  It's a hardy object that they can't do much to, and
> makes it difficult to do anything beyond it.
> 

Reread what I did say. A firewall does not prevent attacks against 
services that must be open to the public, for example, because they 
provide a public service. Neither does your firewall protect against 
content you invite through it such as stuff from my website.

If you want to run an ftp server for people do download stuff, then 
people have to be able to access it. If you don't need to operate an ftp 
server, then don't install it and nobody can attack it, firewall or no.




-- 

Cheers
John

-- spambait
1aaaaaaa at computerdatasafe.com.au  Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

do not reply off-list

More information about the users mailing list