Full Disclosure mailing list archives
Re: Compromised hosts lists
From: Valdis.Kletnieks () vt edu
Date: Tue, 21 Feb 2006 18:33:11 -0500
On Tue, 21 Feb 2006 13:43:44 CST, Frank Knobbe said:
Would you apply the same thinking to *outbound* traffic by first denying all outbound traffic, and then adding rules for, say eBay, Slashdot, etc?
This of course depends on the machine's function. Chances are that if it's a corporate server, it shouldn't be talking to either eBay or Slashdot. ;) But yes, for a corporate server, it would certainly make sense to block all outbound access, then add an 'iptables -state RELATED' to allow outbound packets for authorized connections inbound, and perhaps a few other rules to allow it to contact the NTP server, the machine you download patches/updates from, and so on. If your corporate server is making an *outbound* connection that you don't know about, you probably have a problem and want to deal with it. Of course, you will probably want to configure corporate desktops a bit differently (the exact answer being *very* dependent on how fascist the IT staff is), and another answer entirely for software development machines. And personal machines are yet another different beast.... But even for personal machines, denying all outbound packets and then adding rules to pass things you want to allow is a good idea - even if the rule is "allow outbound to any other box's 25, 53, 80, 123, or 443" or similar.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Compromised hosts lists James Lay (Feb 20)
- Re: Compromised hosts lists Jason Coombs (Feb 20)
- Re: Compromised hosts lists Gadi Evron (Feb 20)
- Re: Compromised hosts lists Valdis . Kletnieks (Feb 20)
- Re: Compromised hosts lists James Lay (Feb 21)
- Re: Compromised hosts lists Valdis . Kletnieks (Feb 21)
- Re: Compromised hosts lists Frank Knobbe (Feb 21)
- Re: Compromised hosts lists Valdis . Kletnieks (Feb 21)
- Re: Compromised hosts lists James Lay (Feb 21)
- <Possible follow-ups>
- Re: Compromised hosts lists security czar (Feb 22)