[gentoo-user] Re: scripted iptables-restore

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

From: Martin Vaeth <vaeth@mathematik.uni-wuerzburg.de>
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Re: scripted iptables-restore
Date: Mon, 14 Oct 2013 11:49:48 +0000 (UTC)	[thread overview]
Message-ID: <slrnl5nmj5.hoa.vaeth@bois.imp.fu-berlin.de> (raw)
In-Reply-To: 525B1878.2010908@orlitzky.com

Michael Orlitzky <michael@orlitzky.com> wrote:
> Port knocking is cute, but imparts no extra security.

It does, for instance if you use it to protect sshd and
sshd turns out to be vulnerable; remember e.g. the
security disaster with Debian.

> A better, secure way to achieve the same goal is with OpenVPN.

Using yet another service with possible holes to protect a sshd?
In this case, I would like port knocking at least for this OpenVPN.

> In this case, the absolute worst that could happen is that an attacker
> gains access to every open port on your system. While this is bad, it's
> not a clever new vulnerability: it's all of the old ones that were
> already there.

It is exactly the kind of attacks for which one usually uses iptables.
You are right, iptables is just one extra step of security, so the
worst thing which can happen is that this step is useless.
However, if you are willing to risk this only because of your own
lazyness in scripting then why do you setup iptables in the first place?

> If there are insecure daemons listening on public addresses

The problem is that nobody can be sure that some daemon is safe.
Even presumably safe services turn out to be victims of new kind
of attacks, occassionally.

next prev parent reply	other threads:[~2013-10-14 11:50 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-03 19:27 [gentoo-user] Where to put advanced routing configuration? Grant Edwards
2013-10-03 20:28 ` Kerin Millar
2013-10-04 16:25   ` [gentoo-user] " Grant Edwards
2013-10-04 21:58   ` [gentoo-user] " Michael Orlitzky
2013-10-04 22:33     ` Dragostin Yanev
2013-10-11  7:18     ` [gentoo-user] " Martin Vaeth
2013-10-13 10:08       ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Martin Vaeth
2013-10-13 14:14         ` [gentoo-user] scripted iptables-restore Michael Orlitzky
2013-10-13 15:19           ` [gentoo-user] " Martin Vaeth
2013-10-13 16:37             ` Michael Orlitzky
2013-10-13 20:07               ` Martin Vaeth
2013-10-13 21:45                 ` William Kenworthy
2013-10-14 12:08                   ` Martin Vaeth
2013-10-14 13:27                     ` William Kenworthy
2013-10-13 22:02                 ` Michael Orlitzky
2013-10-14 11:49                   ` Martin Vaeth [this message]
2013-10-14 14:26                     ` Michael Orlitzky
2013-10-14 18:49                       ` Martin Vaeth
2013-10-14 19:17                         ` Michael Orlitzky
2013-10-14 20:31                           ` Alan McKinnon
2013-10-15  1:06                             ` Michael Orlitzky
2013-10-14 18:23                 ` Tanstaafl
2013-10-14 18:52                   ` Martin Vaeth
2013-10-14 19:40                     ` Tanstaafl
2013-10-14 20:45                   ` Alan McKinnon
2013-10-16 23:21                     ` Walter Dnes
2013-10-17  6:59                       ` Alan McKinnon
2013-10-18  2:30                         ` Walter Dnes
2013-10-18  4:44                           ` Alan McKinnon
2013-10-18 10:23                           ` Tanstaafl
2013-10-18 11:19                             ` Alan McKinnon
2013-10-18 14:05                               ` Tanstaafl
2013-10-18 14:33                                 ` Alan McKinnon
2013-10-14  5:54           ` [gentoo-user] " Pandu Poluan
2013-10-14  5:57         ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Pandu Poluan
2013-10-14 11:52           ` [gentoo-user] " Martin Vaeth
2013-10-13 10:26     ` [gentoo-user] Where to put advanced routing configuration? shawn wilson
2013-10-13 13:53       ` Michael Orlitzky
2013-10-13 13:57       ` [gentoo-user] " Martin Vaeth
2013-10-05 21:01 ` [gentoo-user] " thegeezer
2013-10-06 16:16 ` [gentoo-user] " Grant Edwards

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=slrnl5nmj5.hoa.vaeth@bois.imp.fu-berlin.de \
    --to=vaeth@mathematik.uni-wuerzburg.de \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox