On 8/4/05, hbeaumont hbeaumont <ahlist@xxxxxxxxx> wrote: > I want to find a way to make sure that we have an extra layer of protection > to make sure our servers weren't DOS'ing other boxes - even if it was > only for a short time until an admin logged in to check the source of the > outgoing traffic spike. I'm a big fan of layers . =) Even though there's only so much that netfilter can do as it generally only looks at the lower half of the network stack, you can restrict a lot. For example, servers don't usually need originate much traffic at all. Trust and allow a few IPs for patch servers, time servers, and DNS servers as opposed to allowing general outgoing traffic out to ports 21,80,123,53,etc. Log (with flood limits) dropped outbound traffic. /dev/rob0 makes a good point that logging is often useless. If you have log analysis tools that are monitored, they can possibly detect everything from misconfigured software to malicious and mischevious users. Something else you can do is proxy whatever small subset of external services your servers can reach. This can help prevent someone from tunneling random things over port 80, for example (popular since it's seldomly filtered). You might also set netfilter to allow certain programs or users to go out of certain ports. I.e. root can go out on port 123 to synchronize the clock, but a user cannot. Of course, the more you restrict users, the more unhappy they get!
