On Sun, 29 Jul 2012 00:33:49 +0200, Reindl Harald <h.rei...@thelounge.net> wrote:
> Am 28.07.2012 20:03, schrieb Mark Alan: > >> The solution is to exempt traffic sent from the machine from the > >> rate controls. > > > > In 2012, in a server facing the net and running other services > > besides mail, I would not call it a safe bet. In the event (that > > must be accounted for) of an intrusion, one should consider that a > > syn flood DOS isn't an exclusive of the INPUT stream > > if you do not trust you OUTGOING traffic the only valid > reason is that you doubt your machine is comprimised [The problem, as said in another email, is (mostly) solved] - I do not trust anything connected 24h to the Internet. - I do not trust anything in a Xen VPS that sits in a datacenter owned / managed / maintained by I do not know exactly who. - I do not trust any software, open source or otherwise, that has a level of complexity high enough to not be fully understood by the installer, maintainer, user, etc. [ Just google for "OpenSSH FBI backdoor". Its IPSEC stack was a relatively small but nevertheless highly sensitive piece of software. Look how it managed to elude, for so many years, so many security conscious people, including most of the more security conscious developers around: the developers of the OpenBSD - the "Ultra-Secure Operating System". ] This 'thing' just become so complex and with so many variables, that it became impossible to know them all and to account for them all. We can only reduce the size of the target and make it a little more difficult to break in. And that is why we keep an eye on syslog and cousins and ask for help here on this list when we start to see firewall drop outs related with Postfix. > and NO a synflood will never come in the OUTPUT stream > except your machine is compromised, but if so shut it down I am afraid that time will show you otherwise. These systems are not 'simple', not even 'complicated', they are real 'complex systems'. And, worse, with so many knowledgeable people with time and resources to invest into breaking these systems, these are now real 'complex adaptive systems'. Thank you, M.