Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Brian Micek <bmicek@...>
Subject: Re: If your interested
Date: Mon, 10 Oct 2005 01:33:47 -0400
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2">
</HEAD>
<BODY>
On Mon, 2005-10-10 at 15:20 +1000, Ben Anderson wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">It may make sense for small, limited users machines, but what about </FONT>
<FONT COLOR="#000000">servers that are intentionally advertising ssh for it's users globally, </FONT>
<FONT COLOR="#000000">so can't use port knocking, can't block all of korea (as some users </FONT>
<FONT COLOR="#000000">definatly connect from there) and so on...</FONT>

</PRE>
</BLOCKQUOTE>
Ben, your correct ... it would be silly to block China on a commercial server doing business with China.&nbsp; Those machines probably require a secure architecture most of us light-weight users cant support.&nbsp; 
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">Seems to me blocking large chunks of the net because they're a pain is a </FONT>
<FONT COLOR="#000000">short term solution that's going to cause long term pain for the </FONT>
<FONT COLOR="#000000">internet at large if it's allowed to become standard practice...</FONT>
</PRE>
</BLOCKQUOTE>
Once again, censorship is silly but it works.&nbsp; There is something ironic about censoring a country that censors their Internet.
<BLOCKQUOTE TYPE=CITE>
<PRE>

<FONT COLOR="#000000">Shouldn't this list focus on the general, base level security rather </FONT>
<FONT COLOR="#000000">than specific work-arounds for these type of issues that don't apply to </FONT>
<FONT COLOR="#000000">a lot of boxen?</FONT>

<FONT COLOR="#000000">2c out.</FONT>
<FONT COLOR="#000000">Ben</FONT>




<FONT COLOR="#000000">Dave Strydom wrote:</FONT>
<FONT COLOR="#000000">&gt; I think there is an easier way of doing this...</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; Why not use the GEOIP IPTABLES patch and then just use this in your </FONT>
<FONT COLOR="#000000">&gt; firewall:</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; -----------------------------------------------------------------------------------------</FONT>
<FONT COLOR="#000000">&gt; $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP</FONT>
<FONT COLOR="#000000">&gt; $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP</FONT>
<FONT COLOR="#000000">&gt; $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP</FONT>
<FONT COLOR="#000000">&gt; $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP</FONT>
<FONT COLOR="#000000">&gt; -----------------------------------------------------------------------------------------</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; This way you have 4 simple rules which do the work of that entire script.</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; On 10/10/05, *Taka John Brunkhorst* &lt;<A HREF="mailto:antiwmac@...">antiwmac@...</A> </FONT>
<FONT COLOR="#000000">&gt; &lt;mailto:<A HREF="mailto:antiwmac@...">antiwmac@...</A>&gt;&gt; wrote:</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt;     nice but why do we need to block them?</FONT>
<FONT COLOR="#000000">&gt;     ssh worms? or just lamers?</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt;     -- </FONT>
<FONT COLOR="#000000">&gt;     <A HREF="mailto:antiwmac@...">antiwmac@...</A> &lt;mailto:<A HREF="mailto:antiwmac@...">antiwmac@...</A>&gt;</FONT>
<FONT COLOR="#000000">&gt;     Taka John Brunkhorst </FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; </FONT>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>
Attachment:
signature.asc (This is a digitally signed message part)
References:
If your interested
-- Brian Micek
Re: If your interested
-- RADDS Support Team
Re: If your interested
-- Craig
Re: If your interested
-- Brian Micek
Re: If your interested
-- Taka John Brunkhorst
Re: If your interested
-- Dave Strydom
Re: If your interested
-- Ben Anderson
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: If your interested
Next by thread:
Re: If your interested
Previous by date:
Re: If your interested
Next by date:
Re: If your interested


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.