[svlug] Firewalls?

Don Marti dmarti at zgp.org
Wed Jan 24 11:52:32 PST 2007


begin Rick Moen quotation of Wed, Jan 24, 2007 at 12:57:52AM -0800:

> Hey, right on schedule, here come the gadget freaks!

My web server logs have often gotten messy
with 404s from attackers or malware looking for
/exploitable+web+app.(php|asp)

I could move the web server and use :port URLs,
but it's easier for me not to pay attention to 404s
that only pop up a few times.  I treat failed SSH
login attempts the same way.  If I really wanted to
look at the logs I could, but the person to worry
about isn't the kiddie trying michael, ftp, test,
webmaster, postmaster, postfix, paul, and root, but
the person who's doing a stealth scan to find sshd on
whatever port it's hiding on in order to build a list
of servers to try when the next exploit comes out.
Some ways to lower the risk from this person are
(1) run the minimum software possible and keep what
you do have up to date (2) use local firewall rules
where possible to limit which addresses are allowed
to ssh in (3) use both ssh configuration and local
firewall rules to enforce a policy of "don't accept
ssh connections from hosts that themselves accept
incoming ssh" and (4) have up to date *off line*
backups.

I agree with Rick that the kind of ssh probing that
creates a lot of logfile noise is more of a logfile
management problem than a security problem.

-- 
Don Marti                    
http://zgp.org/~dmarti/
dmarti at zgp.org




More information about the svlug mailing list