On Wed, 06 Nov 2013 10:30:30 +0000 Kevin Steen ks@kevinsteen.net allegedly wrote:
On 06/11/13 06:09, Andreas Krey wrote:
On Tue, 05 Nov 2013 14:09:40 +0000, Thomas Hand wrote: ...
Also, use iptables! If it is a dedicated VPS then drop anything you dont recognize,
What for? The ports that you want to block are rejected by the kernel anyway, as there is no one listening. (The minor added protection that malware needs to be root to disable iptables and effectively listen - is that worth the work?)
Dropping bad requests will reduce your bandwidth usage through not having to send TCP RST responses, and will also increase the workload of the attacker as they'll have to wait for a timeout on each connection.
It is also good practice to whitelist traffic inbound. The fact that there is no service currently listening on port "N" does not mean that there will /never/ be a service listening on port "N". Blocking by default can protect you from that WTF moment when you find that some system upgrade or reconfiguration has fired up a service you didn't expect or thought you had removed.
I've been there. I also believe in belt and braces.
I wouldn't recommend dropping everything, though, as it makes troubleshooting very difficult - just drop connections to ports which get attacked.
I disagree. Dropping all traffic other than that which is explicitly required is IMHO a better practice. (And how do you know in advance which ports get attacked?)
Best
Mick ---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------