Subject: Re: security for netbsd as web server
To: Felix Deichmann <f.dei@web.de>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: netbsd-users
Date: 03/25/2005 17:39:52
In message <4244916E.8010200@web.de>, Felix Deichmann writes:
>Amadeus Stevenson wrote:
>> -ipfilter block all default, allow in www with keep state
>
>If you expect many connections and "keep state", be sure that the state
>table is big enough then. See IPSTATE_SIZE and IPSTATE_MAX in ip_state.h.
For this sort of application, you don't need 'keep state'. Virtually
nothing should be running on the machine; you can block those ports
explicitly (if there is indeed anything to block). Outbound calls (if
any) should just work. Don't worry about scans; armor the machine and
let the probes bounce off.
The real risk here isn't that they know you aren't running something;
the risk is from the things you are running and can't shut down, like
apache.
>
>> Is there anything else you could do? Password rotation? What would you
>> do if you had to run, say, a security-critical (eg. a bank or paypal)
>> system?
>
>If you are really paranoid:
># sysctl -w net.inet.ip.random_id=1
>
Against what threat?
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb