On Tue, 21 Feb 2006 07:09:58 MST, James Lay said: > I completely agree for ports that I would have closed, but obviously I > could not simply deny *all* traffic for port 25 and 80 let's say, as I > want them open to the public.
At which point a list of the 100 million or so compromised machines believed to be out there doesn't do you much good. (Yes, the number is likely to be that high - at one point we were seeing several hundred thousand new zombies *per day*.) If you implement the block list, your machine runs like a pig (how much kernel memory do 100M iptables rules nail down?? ;) And you *still* have to worry about evil packets arriving on ports 25 and/or 80 from machines that haven't been *flagged* as evil yet. (Note that with 100M rules, trying to do even daily syncs is non-trivial - and you're going to want to do this on an hourly basis or so if you want it to be at all useful. When the update takes over an hour, you're in trouble.....) Your only real choice here is to make sure that 25 and 80 (and other outward-facing services) are as bulletproof as possible, against all packets from whatever source, and remain vigilant.
pgptRfk46lohl.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
