Re: apache security question
From: Karsten W. Rohrbach (karsten@rohrbach.de)
Date: 06/15/01
- Next message: Marcel Dijk: "Re: IPFW almost works now -> stateful rules"
- Previous message: peter: "(no subject)"
- In reply to: Mike Silbersack: "Re: apache security question"
- Next in thread: Mike Silbersack: "Re: apache security question"
- Reply: Mike Silbersack: "Re: apache security question"
- Reply: Dag-Erling Smorgrav: "Re: apache security question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 15 Jun 2001 12:52:53 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Mike Silbersack <silby@silby.com>
Mike Silbersack(silby@silby.com)@2001.06.15 00:12:48 +0000:
>
> On Thu, 14 Jun 2001, Gerhard Sittig wrote:
>
> > On Thu, Jun 14, 2001 at 21:22 +0200, Karsten W. Rohrbach wrote:
> > > why? for a web-only server? *grin*
> > > the only service that listens is httpd on tcp port 80, for
> > > severe network scanning and synflood handling consult the
> > > blackhole(4) man page.
> >
> > Consulting the "man 4 blackhole" output was exactly what I did
> > lately when the TCP_RESTRICT_RST setting became obsolete. Your
> > statement made me curious, because I remembered the WARNING
> > section:
>
> In actuality, using TCP_RESTICT_RST, blackhole, or ipfw isn't really going
> to help you weather an attack any better than doing nothing; the built-in
> ratelimiting features handle this already.
ratelimiting turned out to be too relaxed for several servers i got in
the field. was this changed from 4.2 to 4.3?
>
> restrict_rst and blackhole can, at best, frustrate people probing your
> network, but little more. ipfw could protect other hosts if we're talking
> about a router, but can't help a FreeBSD box it's running on much.*
i did not want to say that blackhole(4) is a replacement for ipf(4).
since the b0rkedness of the rule parser, ipfw(4) is not an option
anymore for me. try mathing multiple destination ports in one rule :-/
>
> So... don't worry about it. (Or filter upstream if you are being attacked
> and are forced to worry about it.)
that's exactly what i wrote in the original mail, would it not have been
removed.
> * Some attack tools have recognizeable signatures, you could block those
> with ipfw.
oh, yes, and snort or similar things on a gateway in front of it to see
new ones ;-)
/k
--
> <?print(strrev(join(" ",split("[123]","rekcaH3PHP2rehtonA1tsuJ"))));?>
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- application/pgp-signature attachment: stored
- Next message: Marcel Dijk: "Re: IPFW almost works now -> stateful rules"
- Previous message: peter: "(no subject)"
- In reply to: Mike Silbersack: "Re: apache security question"
- Next in thread: Mike Silbersack: "Re: apache security question"
- Reply: Mike Silbersack: "Re: apache security question"
- Reply: Dag-Erling Smorgrav: "Re: apache security question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
