[tor-relays] does it make sense to close unused ports at a tor relay with iptables ?
grarpamp
grarpamp at gmail.com
Thu Apr 28 22:07:32 UTC 2016
On 4/28/16, Green Dream <greendream848 at gmail.com> wrote:
>> The likes of GRC.COM <http://grc.com/> make you think that any port not
> blocked... is bad.
>> I wondered why if nothing there
>
> Because there is a difference between a closed port and a filtered port.
> Deny vs drop. The less of a fingerprint you offer to attackers, the better.
> It's security by obscurity to an extent, but even a response from a closed
> port can give away clues about the software, OS and network stack that's
> running.
Another reason is that by filtering as root,
it requires anything that does happen to eascalate to root and unfilter
before being able using any other port.
Another some exploit in part of stack responsible for sending
the deny.
Tradeoff: management overhead, possible lockout of yourself.
Backup, practice, document, test.
More information about the tor-relays
mailing list