[Firehol-support] Re: servere's firewall

Grigory Fateyev greg at anastasia.ru
Sat Apr 30 14:37:48 BST 2005 

Hello, Daniel!
30 Апреля 2005г. в 08:36 You wrote:

> On 30 Apr 2005, Grigory Fateyev wrote:
> > I need to write very security firewall for hosting server. Write
> > frirehol.conf for it. What I must do for improving protection?
> > Please, give me advice.
> 
> [...]
> 
> > blacklist full 195.97.5.202
> 
> You *must* add a comment here, explaining to anyone else who looks at
> it*why* you blacklist that address.  Otherwise, pain will ensue.[1]
> 
> > interface eth0 internet src "${server_ips}"
> > protection strong 10/sec 10
> 
> This looks *much* too low for a hosting site.  Ten connections a
> second is, like, two web pages a second.[2]  You probably want
> something closer to "100/sec 200" or even higher.
> 
> Also, *monitor* this in deployment to make sure it really does what
> you want, and that your clients don't suffer as a result.

What do you mean? Guard this parametr, and write optimal?

> > server ident reject with tcp-reset
> > server dns      accept
> > server ftp      accept
> 
> Offering this will result in password guessing attacks on the server.
> Make sure you have decent rate and load limiting on the FTP server.

I will limit peer connections by server. Somthing else?

> (Yes, this isn't really a firewall issue, but close enough. ;)
> 
> > server http     accept
> > server https    accept
> 
> > server pop3     accept
> > server imap     accept
> 
> Offering these two encourages your clients to give away their
> passwords. Turn them off, and require the use of SSL to connect to the
> POP and IMAP servers.

Will be compositelty to describe ...

> > server pop3s    accept
> > server imaps    accept
> 
> If, like many hosting companies, you don't actually *want* to offer
> server side email storage, turn off IMAP.  Most clients don't care,
> and it certainly adds little over POP in most similar services. 

Try to learn it with users.

> [...]

####### fixed firehol.conf
blacklist full 195.97.5.202 # Bad server flood me!
[..]
interface eth0 internet src "${server_ips}"
        protection strong 200/sec 400
        server ident reject with tcp-reset
        server dns      accept
        server ftp      accept
        server http     accept
        server https    accept
#       server pop3     accept
        server pop3s    accept
#       server imap     accept
        server imaps    accept
        server ssh      accept src "${trust_ips}"
        server icmp     accept # Maybe limit connection by 10 peer?
second

        client "dns ftp http ssh"       accept # And many

Is it close?

Thanks for helping!
P.S. Sorry for my English ...

-- 
Всего наилучшего!
greg_[at]_anastasia_[dot]_ru Григорий.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20050430/759645db/attachment-0001.sig>

More information about the Firehol-support mailing list