[sclug] Firewalling on a server

Dickon Hood sclug at splurge.fluff.org
Sat Jan 7 00:45:48 UTC 2006 

On Thu, Jan 05, 2006 at 20:04:34 +0000, Tom Chance wrote:
: Ahoy,

: Just a quick question - if you've got a server running a certain number of 
: services and you know the ports they use, then presumably it makes sense to 
: firewall off every other port?

Why?

: Or would I stupidly block off incoming data on ports that I didn't
: realise are needed, beyond those for SSH (22), SMTP (25), Apache (80),
: IMAP (143), LDAPS (636) and MySQL (3306)? Looking in /etc/services there
: are lots of ports that are mentioned for basic services like echo,
: netstat, login, who, etc. I've looked down the list given by 'netstat
: -a' but I've noticed that some are listed without my running the related
: server (*:ircd is listed as LISTEN).

inetd listens 'for you', as it were.  The idea behind it is that far back
in the mists of ancient time, when resources were limited, you didn't want
a lot of processes hanging around doing nothing but listen(2)ing on a
port.  You let inetd do that instead, which forked the service when
needed.

These days it isn't really worthwhile, and is generally deprecated.  It
will handle the legacy ports (echo, discard, etc.; <20 in the main) for
you if you really need them, but they rarely are.  On servers, I tend to
kill it, personally.

: I've blocked off a few odd things I know are unnecessary (including 6667
: for irc). Any light that people could shed on this would be welcome...

: </newbie-sysadmin>

It's a matter of choice.  I prefer to *know* what my servers are running,
so see little need for a firewall.  Others take a more relaxed view and
don't really care what they're running, preferring instead to trust a
trivial packet filter to solve the security problem.

I have a dubious tendency to perform backups or certain data using similar
to the following:

tar cvf - . | gpg --encrypt | nc -l -p 1234

on one host, with another doing:

nc other.host 1234 > backup.host.tar.pgp

which works nicely, although isn't exactly efficient.  This fails if you
have a firewall which doesn't know about it, and, these things being a tad
automated, this can bite you.  There are other examples.

That said, it's a useful tool.  Just don't be tempted by the 'oh, I've got
a firewall, I'm safe' attitude, which is depressingly prevalent.

-- 
Dickon Hood

Due to digital rights management, my .sig is temporarily unavailable.
Normal service will be resumed as soon as possible.  We apologise for the
inconvenience in the meantime.

No virus was found in this outgoing message as I didn't bother looking.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
Url : http://lists.tmdg.co.uk/pipermail/sclug/attachments/20060107/fbd54cee/attachment.bin

More information about the Sclug mailing list