Stephen J. Smoogen schrieb:
On 4/28/05, Roger Grosswiler <roger@xxxxxxxx> wrote:
Hi,
Taking again the thread about the SSH brute force attacks, but with a
question.
We have a nice tool called system-config-securitylevel, why isn't it
possible to indicate some ips or ranges there an click to "stealth" so,
this port is just visible to the indicated ip-adresses??
Roger
Because it's a simple gui tool designed to be simple.
you're right at this point, it's adding a function more., but adding this function would not mean crashing usability
of this tool, i think. It's just an senseful option more, that keeps EASY the users computers more secure - specially
on servers.
You have to be able to parse things like did you want to NOT allow
127.0.0.1 to connect. Did you mean 204.121.0.0/32 and not
204.121.0.0/16.. it is not a trivial task to do right for the new
person. Or the fact that you put the -A INPUT -s 0.0.0.0/0 -j ACCEPT
before all your drops.
A tool that does this would be great, but I think its complexity would
be more than can be packaged simply into the installer :(. Even
putting this in an 'expert' section is more likely to shoot one in the
foot. [I have had to clean up more systems because the person thought
they had secured it and it was actually worse off.]
Thats why i think this should be done by the tool written by experts. Of
course, a newb isn't really able to calculate networks. But all those
information are there and just have to be read by the tool. Even it
should prevent the situation, you described above.
I mean, basically we got firestarter, this is a kind of easy. Just what
i think, if system-config-securitylevel would support stealthing too,
you get at least a more or less "very" secure system out of the box.
Roger