Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ipchains FW, monitoring for scans, & how to react to them

From: Crispin Cowan <crispin () cse ogi edu>
Date: Tue, 21 Dec 1999 06:11:32 +0000
Danny Rathjens wrote:


My question is how do you all feel about essentially doing
the firewalling on the webserver itself with ipchains instead
of a separate box that everything is filtered through.


I think the primary threat to web servers is the active content processing
programs (the CGIs, the Perl scripts, the JSP's, the ASP's, etc.) all of
which are accessed using HTTP requests, usually through port 80.  Thus
firewalls, whether on the web server or elsewhere, are essentially useless
in protecting the web server.  The firewall either blocks access to the
web server, or grants it.  No other magic happens.



1. On a web server I thought it was a cool idea to have portsentry
running and when it detected a connection to some port like 110,
1, or 31337, it would alert me and drop an ipchains rule in place


If your web server is responding to ports other than 80, then it is badly
configured.  Fix it so that it only responds to port 80 (and whatever you
use to publish) and you won't have to care about people portscanning it.

I'd look to techniques such as CGI Wrap or chroot() to protect your web
server.  My company also has some technologies to address these problems,
which I won't hype here for fear of tooting my own horn too much.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org
Previous By Date Next
Previous By Thread Next

Current thread: