[conspire] Perimeter vs. host-edge security (wqs: MIMO wireless cards cheap at Fry's)

Rick Moen rick at linuxmafia.com
Tue Dec 13 05:14:32 PST 2005 

Quoting Tony Godshall (togo at of.net):

> Yeah, I just use the one static IP.  I'm not sure the
> philosophy differs that much... I just have more layers 
> and a single IP addr.  Linux boxes are pretty secure 
> without the router/firewall and the iptables, and I 
> wouldn't hesitate to run them that way if I had the IP 
> addrs to spare.  But I do enjoy tweaking the iptables to 
> limit even the nature of the systems inside.

I used to be a wee bit militant in the "I don't need no steenkin' firewall"
department, but have mellowed a bit after seeing different approaches
work well for different people.  Earlier, mostly I'd been seeing people 
shoot themselves in the foot with filtering rulesets -- like the 1980s
boss who entered a set of them into an Ascend router but forgot to save
them to NVRAM.  Next router reboot, no more ruleset -- factory-default
permit policy -- which became apparent when customers started sending
comments about things they liked and didn't on the developers' ftp and
NFS servers.

More often than that is people simply getting the rulesets wrong, and
either crippling security, network functionality, or both.  Not that the
rulesets aren't potentially a good thing, but complexity is the enemy of
reliability to some extent -- and implementing a simple model that you
understand well is often _effectively_ better, in my experience, than
attempting something tricky.

(In part, my attitude is a reaction to pointy-haired managers who
erroenously think throwing more software at any security situation is
the way to improve security, when more often removing software and
simplifying is in general a better remedy.)

> The whole point of running sshd with nonstandard port numbers started
> out as a convenience issue rather than a security issue- I wanted to
> be able to get to dude or sena or nib from the road.  But why not add
> a layer of security by obscurity on top of the rest- as long as you
> aren't counting on it.  Sounds like you are doing a little bit of the
> same...

Well, aside from having some monitoring mechanisms I don't go into
particulars about, all I can think of is making sshd respond on 23/tcp
(telnet port) in addition to 22/tcp (ssh).  That's handy when I
encounter moron outfits that think they're doing themselves a favour by
blocking outbound SSH access -- which happens depressingly often.
(And, after all, I have no other use for inbound telnet on my server.)

> Say, have you deployed the tarpit module at all?  Looks like an
> altruistic thing to use on spammer-zombies and ddos'ers (keeps them
> from moving onto the next victim).

If you mean tarpitting via iptables rules -- e.g.,
IPTables::IPv4::DBTarpit::Tools and the dbtarpit C daemon --  no.  Be
careful of tarpitting techniques:  Anything that plays footsie with
attackers can get you into trouble in a myriad of ways, and I am
extremely wary of automated active defences.  You can easily end up
DoSing yourself.

There are also two distinct types of tarpitting ("teergrubing") sometimes
implemented in SMTP servers.  The truly nasty variety is the one where, 
when your MTA determines that sender is a malware bot or something else
whose time it wishes to chew up, the MTA keeps the delivering remove
machine's socket open for as long as possible, by sending continuation
SMTP messages -- essentially, saying to it "Are you still there?  Please 
keep holding."

I call this "truly nasty" in part because it's a two-edged sword:  It
slows down and hampers the spammers by tying up their resources, but
each socket of theirs that you keep open as long as possible on their
end, is also a socket you're keeping open as long as possible on _your_
end.  You probably have better things to do with your MTA than telling
thousands of spam processes "Please hold."  My MTA therefore doesn't
ever attempt that particular trick.

My MTA does a number of initial checks on incoming SMTP attempts for RFC
compliance, e.g., possession of the required postamaster and abuse
accounts, etc., before passing the incoming SMTP stream through
SpamAssassin.  If SA gives the mail an _extremely_ high spamicity score,
then my MTA applies the gentler variety of mail tarpitting:  450
temporary delivery failure messages.  (Those responses are also used by
greylisting techniques.)

-- 
Cheers,             
Rick Moen                 "Anger makes dull men witty, but it keeps them poor."
rick at linuxmafia.com                                   -- Elizabeth Tudor

More information about the conspire mailing list