[sf-lug] interlopers continued

[Rick Moen]

Quoting John Reilly (jr at inconspicuous.org):

> To me it just sounds like a user using irc without your knowledge.

FWIW, Alex says no.

Certainly, there are any number of case histories of people
overinterpreting unfamiliar but innocuous system activity as security
incidents, in error.  That's why I stressed to Alex that he's the best
authority on what activity is normal on his system -- or, if he isn't
yet, he's well advised to become one.  ;->

> You could make up your own ruleset in iptables, and I definitely 
> recommend it for learning, but for completeness and ease of use you 
> could use a number of packages that are available.  Personally I like 
> shorewall ( although its probably not the easiest to use at first).

BTW, next issue of _Linux Gazette_, due out on August 1st, will include
a lengthy article about setting up a home server, including Shorewall 
configuration.  I know this because I just copy-edited it.  ;->

A "first line of defence" is not what I'd call IP/port filtering.  More
like "Compulsive gadget-freakery by people who can't be bothered to 
address their real vulnerabilities at their source, but rather prefer to
try to paper those over at the network or host border."

About one time in a million, I find someone who actually bothers to
write such filters based on a proper security policy that rationally
considers threat models.  The rest of the time, it's just a case of
blindly trying to deal blanket-fashion with software security problems
by adding more layers of software -- which, as anyone who's read
Cheswick and Bellovin's book will tell you, is the exact opposite of the
right approach.

If you disagree, let's discuss the specific example of my server,
linuxmafia.com, IP address 198.144.195.186.  That server runs about a
half-dozen public-facing network services, all carefully selected 
and configured to make sure their security profile and likely risks are
known.  I monitor the Net for relevant security advisories about all 
public-facing software present.  I occasionally double-check the
inventory of network-reachable software, by running nmap from a live CD
nearby on the local LAN.  The only IP-filtering rulesets on the outside
interface are ones blocking and logging "Martian packets" (ones not
properly addressed for that LAN).

All of my users are clueful and trustworthy, but, in case they aren't or
get horribly unlucky, I run host and network integrity monitoring that I
won't get into, here.

(And no, there are not Typhoid Mary MS-Windows boxes or other such
things behind my Linux server that it might be expected to protect.)

So, please tell me what I would gain by adding something to the iptables
ruleset, that doesn't lose more by the inherent reduction in system
transparency caused by more-complex operation, and by running the risk of
interfering in legitimate usage.  I'm interested in hearing what you 
think would be an improvement.