Paul Jacobs asked: > Why is it that after SUN'S new "TCP Hardening" patch and > the 8+ new services running on my box now that when you > goto "Action Against Detected Scans" and select "Log and > Block" you get a message saying " if you enable this > option you will be open to DOS attack's! ?.
Imagine: you know someone just installed this patch. You then attack it with a whole stack of spoofed IP addresses, thousands of packets over a short time. The RaQ then explodes by: a) filling up its' log partition, and b) potentially blocking itself and/or the router it's attached to, DNS servers and so on. Yes, these offerings from Sun are a good idea; the white paper gives a fairly comprehensive (though not too details) overview of how they achieve things but it's still easy to cripple a machine with them installed. Better to have all your internet-facing services as secure as possible. Generally, I don't give a stuff if someone scans a machine of mine and finds a webserver and SSH server. None of the other ports are accessible, anyway. It's all in the configuration. You want to know if someone prodded all your service ports, not the 65000+ other ones! Graeme -- Graeme Fowler System Administrator Host Europe Group PLC _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
