On Wed, 06 Nov 2013 10:30:30 +0000 Kevin Steen <ks@xxxxxxxxxxxxxx> allegedly wrote: > On 06/11/13 06:09, Andreas Krey wrote: > > On Tue, 05 Nov 2013 14:09:40 +0000, Thomas Hand wrote: > > ... > >> Also, use iptables! If it is a dedicated VPS then drop anything > >> you dont recognize, > > > > What for? The ports that you want to block are rejected by the > > kernel anyway, as there is no one listening. (The minor added > > protection that malware needs to be root to disable iptables and > > effectively listen - is that worth the work?) > > Dropping bad requests will reduce your bandwidth usage through not > having to send TCP RST responses, and will also increase the workload > of the attacker as they'll have to wait for a timeout on each > connection. It is also good practice to whitelist traffic inbound. The fact that there is no service currently listening on port "N" does not mean that there will /never/ be a service listening on port "N". Blocking by default can protect you from that WTF moment when you find that some system upgrade or reconfiguration has fired up a service you didn't expect or thought you had removed. I've been there. I also believe in belt and braces. > I wouldn't recommend dropping everything, though, as it makes > troubleshooting very difficult - just drop connections to ports which > get attacked. I disagree. Dropping all traffic other than that which is explicitly required is IMHO a better practice. (And how do you know in advance which ports get attacked?) Best Mick --------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net ---------------------------------------------------------------------
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays