G'day IT Support NZ, <snip> >>Should I be running ipchains/iptables/whatever locally (on the server, >>because it's on 24/7, and on the laptops because they might be plugged >>in to someone else's network). If so, why? And why would I need that on >>top of locking down sshd on the only open port?
>I'd agree with you really. Until you start hosting other services on >your servers, there's not too much of a need. > >I would just check and see what ports are open - run an nmap of your >server from horse or something - and take any appropriate action. My >router has a 'default destination' option, which I don't use! Mind you, >you could have some fun with it. It depends on how security conscious you are. If you have laptops going outside your firewall and coming back in then your main server is open to any malicious code which has hit your laptops .. a server based firewall would slow that down or stop it rather than leaving all ports open on your intranet. The other thing is how much do you trust your router? There are a number of exploits, most notably for Cisco and other big name routers which can crack your gateway wide open. I agree with doing an nmap or visiting grc.com and doing the shieldsup test on your system from an external location. As for the default destination ... I tend to point my nat rules (excpet for those being used to open ports to the net) to a bogus computer such as 10.66.66.66. This computer doesn't exist and so you have the router transparently passing through packets and the (non-existent) machine not answering .. thus you are a black hole in the water. It makes your machine disappear off the net. This is doubly effective if you explicitly check port 135 and port 0 and make sure those are routed as well. And before someone tells me there is no port zero ... I know .. but it is an exploit that can be used to determine the exisitence of an otherwise hidden firewall or router. HTH, Shane -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.10.1 - Release Date: 20/04/2005
