About my Firewall Settings - I would like an opinion
Manuel Gomez
mgdpz1 at gmail.com
Mon Nov 10 20:37:58 UTC 2008
Sam Kuper escribió:
> 2008/11/10 Sam Kuper <sam.kuper at uclmail.net
> <mailto:sam.kuper at uclmail.net>>
>
> By using REJECT instead of DROP, you have no stealth. This means
> you can be port-scanned to look for weaknesses, e.g. unpatched
> OpenSSH vulnerabilities, etc.
>
>
> That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
> significant. If you're allowing and inbound traffic, though, any
> unpatched flaws in the app servicing that inbound traffic could expose
> your system to attack.
>
> Also, by REJECTing rather than DROPping, you might be more vulnerable
> to DoS attacks.
>
> Consider using a default (LOG and) DROP policy instead. Michael Rash's
> site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
> resources for learning about this and implementing it.
Ok, i have set default policy in DROP. What more could I do?
Thank you very much.
More information about the ubuntu-users
mailing list