Simple solution.
Turn off all services and justify each open port.
At the network level block all but ports needed from the outside
(e.g. ssh may be needed, but does the outside need to be able to get
to it? or if you have a static ip on dialup you could add a rule
for this to allow you to get to
Simple solution.
Turn off all services and justify each open port.
At the network level block all but ports needed from the outside
(e.g. ssh may be needed, but does the outside need to be able to get
to it? or if you have a static ip on dialup you could add a rule
for this to allow you to get to
On Fri, Apr 06, 2001 at 10:39:47AM -0700, Eric N. Valor wrote:
> Well, most folks like to connect to the Web, so port 80 is a must for that
> (it's 2-way on the same port). 53 is required only if you're running BIND
Is that true? I only block *incoming* port 80, but I'm still able to surf
the
On 06-Apr-01, 12:39 (CDT), "Eric N. Valor" <[EMAIL PROTECTED]> wrote:
> Well, most folks like to connect to the Web, so port 80 is a must for that
^^
Uh, no, that's not correct.
Steve, refraining from several more sarcast
On Fri, Apr 06, 2001 at 10:39:47AM -0700, Eric N. Valor wrote:
> Well, most folks like to connect to the Web, so port 80 is a must for that
> (it's 2-way on the same port). 53 is required only if you're running BIND
Is that true? I only block *incoming* port 80, but I'm still able to surf
the
At 03:27 AM 4/6/2001 +0200, you wrote:
On Thu, Apr 05, 2001 at 01:40:54PM -0700, Eric N. Valor wrote:
>
> I work from a default-deny stance. Usual things to then allow in would be
> 25 (smtp), 80 (http), 22 (ssh, although be careful here), 53-UDP (DNS, if
This strickes me as odd, warning to be
On 06-Apr-01, 12:39 (CDT), "Eric N. Valor" <[EMAIL PROTECTED]> wrote:
> Well, most folks like to connect to the Web, so port 80 is a must for that
^^
Uh, no, that's not correct.
Steve, refraining from several more sarcas
At 03:27 AM 4/6/2001 +0200, you wrote:
>On Thu, Apr 05, 2001 at 01:40:54PM -0700, Eric N. Valor wrote:
> >
> > I work from a default-deny stance. Usual things to then allow in would be
> > 25 (smtp), 80 (http), 22 (ssh, although be careful here), 53-UDP (DNS, if
>
>This strickes me as odd, warnin
hi
[...]
> If you disable icmp pings then you can hide from most scans.
... and you break also the RFC ...
---
;---+---;
bye |
bye |hor
hi
[...]
> If you disable icmp pings then you can hide from most scans.
... and you break also the RFC ...
---
;---+---;
bye |
bye |hor
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Nate Duehr wrote:
> On Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> > If you run a web server then open port 80 tcp, if you have SMTP inbound
> > email then open port 25 tcp, if you run your own DNS for your domain
> > then open port 53 udp.
>
> You're going to be upset the first
On Thu, 05 Apr 2001 13:40:54 -0700
Eric N Valor <[EMAIL PROTECTED]> wrote:
> 53-UDP (DNS, if you have bind running)
DNS will talk TCP on port 53 if the record requested is particularly
large.
--
J C Lawrence [EMAIL PROTECTED]
-(*)
On Thu, Apr 05, 2001 at 01:40:54PM -0700, Eric N. Valor wrote:
>
> I work from a default-deny stance. Usual things to then allow in would be
> 25 (smtp), 80 (http), 22 (ssh, although be careful here), 53-UDP (DNS, if
This strickes me as odd, warning to be careful with ssd in the same
sentence
On Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> If you run a web server then open port 80 tcp, if you have SMTP inbound
> email then open port 25 tcp, if you run your own DNS for your domain
> then open port 53 udp.
You're going to be upset the first time you hit a site that has en
Nate Duehr wrote:
> On Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> > If you run a web server then open port 80 tcp, if you have SMTP inbound
> > email then open port 25 tcp, if you run your own DNS for your domain
> > then open port 53 udp.
>
> You're going to be upset the first
On Thu, 05 Apr 2001 13:40:54 -0700
Eric N Valor <[EMAIL PROTECTED]> wrote:
> 53-UDP (DNS, if you have bind running)
DNS will talk TCP on port 53 if the record requested is particularly
large.
--
J C Lawrence [EMAIL PROTECTED]
-(*)
On Thu, Apr 05, 2001 at 01:40:54PM -0700, Eric N. Valor wrote:
>
> I work from a default-deny stance. Usual things to then allow in would be
> 25 (smtp), 80 (http), 22 (ssh, although be careful here), 53-UDP (DNS, if
This strickes me as odd, warning to be careful with ssd in the same
sentence
On Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> If you run a web server then open port 80 tcp, if you have SMTP inbound
> email then open port 25 tcp, if you run your own DNS for your domain
> then open port 53 udp.
You're going to be upset the first time you hit a site that has e
On Friday 06 April 2001 00:09, Cherubini Enrico wrote:
> Ciao,
>
> Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> > It is most secure to block everything and only open the ports that are
> > absolutely necessary.
>
> ok, this is clear. What's the way you ppl do that throught
> ipchains
It's better to do it this way:
ipchains -P input DENY
ipchains -A input -s (source add./port) -d (dest. add./port) -j ACCEPT
. . . (acceptance rules)
ipchains -A input -j DENY -l (logs all stuff not ACCEPTed above).
I also put other DENY statements on top of the last logging DENY for things
Ciao,
Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> It is most secure to block everything and only open the ports that are
> absolutely necessary.
ok, this is clear. What's the way you ppl do that throught ipchains/iptables
? Is it better to use the ACCEPT policy and then DENY all o
You don't need to block any ports if you turn off unneeded services in
the first place. (You may only need sshd.) Put appropriate access
controls on the services you do provide. _Then_ consider packet
filtering. Packet filtering is only needed if your machine is a
firewall or if you want to
It is most secure to block everything and only open the ports that are
absolutely necessary.
They can only attack what they can see
If you run a web server then open port 80 tcp, if you have SMTP inbound
email then open port 25 tcp, if you run your own DNS for your domain
then open port 53 ud
I work from a default-deny stance. Usual things to then allow in would be
25 (smtp), 80 (http), 22 (ssh, although be careful here), 53-UDP (DNS, if
you have bind running), and various ICMP (echo-reply/request,
source-quench, destination-unreachable, time-exceeded, and
parameter-problem are g
The first thing I do, right off, is block all ports >1024 coming in, then get a
list of what's running, and block everything else except those services I want
to
pass through...
Brandon High wrote:
> Does anyone have a recommendation of ports that should be blocked (via
> ipchains/netfilter/etc)
On Friday 06 April 2001 00:09, Cherubini Enrico wrote:
> Ciao,
>
> Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> > It is most secure to block everything and only open the ports that are
> > absolutely necessary.
>
> ok, this is clear. What's the way you ppl do that throught
> ipchain
Check out this page for some suggestions too,
-l
http://uw7doc.sco.com/NET_tcpip/filterD.block.html#filterT.block
Pedro Zorzenon Neto in message Re: Ports to block? (Thu, 04/05 17:04):
> I'd say to block all the ports you don't need to be available to the world.
> Just
I'd say to block all the ports you don't need to be available to the world.
Just leave opened the essencial ports you need to provide services.
Try nmap to see your opened ports.
On Thu, Apr 05, 2001 at 12:57:24PM -0700, Brandon High wrote:
> Does anyone have a recommendation of ports that should
It's better to do it this way:
ipchains -P input DENY
ipchains -A input -s (source add./port) -d (dest. add./port) -j ACCEPT
. . . (acceptance rules)
ipchains -A input -j DENY -l (logs all stuff not ACCEPTed above).
I also put other DENY statements on top of the last logging DENY for things
I like to look at it the other way around. "What ports not to block?". I
block ALL ports except for the ones that *I* want to get through. This
increases the security of your firewall, because you have only allowed the
ports that YOU want open.
...adam
On Thu, Apr 05, 2001 at 12:57:24PM -0
Does anyone have a recommendation of ports that should be blocked (via
ipchains/netfilter/etc) to make a system more secure?
In light of the recent security holes, I did a netstat -an, then lsof -i for
all ports that were listening and/or UDP. I put a filter in the way of
everything that I didn't
Ciao,
Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> It is most secure to block everything and only open the ports that are
> absolutely necessary.
ok, this is clear. What's the way you ppl do that throught ipchains/iptables
? Is it better to use the ACCEPT policy and then DENY all
You don't need to block any ports if you turn off unneeded services in
the first place. (You may only need sshd.) Put appropriate access
controls on the services you do provide. _Then_ consider packet
filtering. Packet filtering is only needed if your machine is a
firewall or if you want t
It is most secure to block everything and only open the ports that are
absolutely necessary.
They can only attack what they can see
If you run a web server then open port 80 tcp, if you have SMTP inbound
email then open port 25 tcp, if you run your own DNS for your domain
then open port 53 ud
I work from a default-deny stance. Usual things to then allow in would be
25 (smtp), 80 (http), 22 (ssh, although be careful here), 53-UDP (DNS, if
you have bind running), and various ICMP (echo-reply/request,
source-quench, destination-unreachable, time-exceeded, and
parameter-problem are g
The first thing I do, right off, is block all ports >1024 coming in, then get a
list of what's running, and block everything else except those services I want to
pass through...
Brandon High wrote:
> Does anyone have a recommendation of ports that should be blocked (via
> ipchains/netfilter/etc)
Check out this page for some suggestions too,
-l
http://uw7doc.sco.com/NET_tcpip/filterD.block.html#filterT.block
Pedro Zorzenon Neto in message Re: Ports to block? (Thu, 04/05 17:04):
> I'd say to block all the ports you don't need to be available to the world.
> Just
I'd say to block all the ports you don't need to be available to the world.
Just leave opened the essencial ports you need to provide services.
Try nmap to see your opened ports.
On Thu, Apr 05, 2001 at 12:57:24PM -0700, Brandon High wrote:
> Does anyone have a recommendation of ports that shoul
I like to look at it the other way around. "What ports not to block?". I block ALL
ports except for the ones that *I* want to get through. This increases the security
of your firewall, because you have only allowed the ports that YOU want open.
...adam
On Thu, Apr 05, 2001 at 12:57:24PM -0
Does anyone have a recommendation of ports that should be blocked (via
ipchains/netfilter/etc) to make a system more secure?
In light of the recent security holes, I did a netstat -an, then lsof -i for
all ports that were listening and/or UDP. I put a filter in the way of
everything that I didn't
40 matches
Mail list logo
