Gentoo Archives: gentoo-security

From: Brian Micek <bmicek@×××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] If your interested
Date: Mon, 10 Oct 2005 05:40:42
Message-Id: 1128922427.25181.65.camel@localhost.localdomain
In Reply to: Re: [gentoo-security] If your interested by Ben Anderson
On Mon, 2005-10-10 at 15:20 +1000, Ben Anderson wrote:

> It may make sense for small, limited users machines, but what about > servers that are intentionally advertising ssh for it's users globally, > so can't use port knocking, can't block all of korea (as some users > definatly connect from there) and so on... >
Ben, your correct ... it would be silly to block China on a commercial server doing business with China. Those machines probably require a secure architecture most of us light-weight users cant support.
> Seems to me blocking large chunks of the net because they're a pain is a > short term solution that's going to cause long term pain for the > internet at large if it's allowed to become standard practice...
Once again, censorship is silly but it works. There is something ironic about censoring a country that censors their Internet.
> > Shouldn't this list focus on the general, base level security rather > than specific work-arounds for these type of issues that don't apply to > a lot of boxen? > > 2c out. > Ben > > > > > Dave Strydom wrote: > > I think there is an easier way of doing this... > > > > Why not use the GEOIP IPTABLES patch and then just use this in your > > firewall: > > > > ----------------------------------------------------------------------------------------- > > $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP > > $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP > > $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP > > $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP > > ----------------------------------------------------------------------------------------- > > > > This way you have 4 simple rules which do the work of that entire script. > > > > > > On 10/10/05, *Taka John Brunkhorst* <antiwmac@×××××.com > > <mailto:antiwmac@×××××.com>> wrote: > > > > nice but why do we need to block them? > > ssh worms? or just lamers? > > > > -- > > antiwmac@×××××.com <mailto:antiwmac@×××××.com> > > Taka John Brunkhorst > > > >

Attachments

File name MIME type
signature.asc application/pgp-signature