Re: Stealthing Ports in system-config-securitylevel was: SSH brute force attack

[Roger Grosswiler <roger gwch net>]

Stephen J. Smoogen schrieb:
> On 4/28/05, Roger Grosswiler <roger gwch net> wrote:
>
> > > > Hi,
> > > >
> > > > Taking again the thread about the SSH brute force attacks, but with a
> > > > question.
> > > >
> > > > We have a nice tool called system-config-securitylevel, why isn't it
> > > > possible to indicate some ips or ranges there an click to "stealth" so,
> > > > this port is just visible to the indicated ip-adresses??
> > > >
> > > > Roger
> > >
> > > Because it's a simple gui tool designed to be simple.
> >
> > you're right at this point, it's adding a function more., but adding this function would not mean crashing usability
> > of this tool, i think. It's just an senseful option more, that keeps EASY the users computers more secure - specially
> > on servers.
>
>
> You have to be able to parse things like did you want to NOT allow
> 127.0.0.1 to connect. Did you mean 204.121.0.0/32 and not
> 204.121.0.0/16.. it is not a trivial task to do right for the new
> person. Or the fact that you put the -A INPUT -s 0.0.0.0/0 -j ACCEPT
> before all your drops.
>
> A tool that does this would be great, but I think its complexity would
> be more than can be packaged simply into the installer :(. Even
> putting this in an 'expert' section is more likely to shoot one in the
> foot. [I have had to clean up more systems because the person thought
> they had secured it and it was actually worse off.]
Thats why i think this should be done by the tool written by experts. Of 
course, a newb isn't really able to calculate networks. But all those 
information are there and just have to be read by the tool. Even it 
should prevent the situation, you described above.

I mean, basically we got firestarter, this is a kind of easy. Just what 
i think, if system-config-securitylevel would support stealthing too, 
you get at least a more or less "very" secure system out of the box.

Roger