iptables script + δυνατότητες

Άγγελος Οικονομόπουλος aoiko at cc.ece.ntua.gr
Wed Oct 16 12:06:01 EEST 2002


On Wednesday 16 October 2002 05:45, Alexandros Papadopoulos wrote:
> On Tuesday 15 October 2002 19:55, Άγγελος Οικονομόπουλος wrote:
[snip]
> > poio skeptiko? oti to tiny personal fw (h opoiodhpote application level
> > fw) exei nohma pisw apo cisco (h opoiodhpote pf fw)? pws to
> > uposthrizeis auto (to "kalo einai na uparxei" den einai epixeirhma)?
>
> Apantaw se ola mazi - sorry pou hmoun asafhs prin, alla hmoun se mia
> parousiash ths Apple kai eblepa asterakia.
>
> To skeptiko mou einai oti
>
> - - xrhsimopoieis iptables / Pix / otidhpote gia na prostatepseis to
> diktyo se epipedo packet filtering, sto shmeio X (pes router)
>
> kai
>
> - - bazeis ena application level firewall tou styl Tiny stous clients
> pisw apo to X, to opoio pros8etei to feature pou moiraia leipei apo to
> firewall tou X, dhladh krataei database me checksums me applications pou
> exoun dikaiwma na kanoun tis xy diktyakes drasthriothtes.
>
> Ara san synolo, exoume ena diktyo to opoio kai kanei to paradosiako
> packet filtering, kai periorizei ta applications pou mporoun na
> dhmiourghsoun to opoiodhpote traffic.
>
> Milwntas gia *ena* standalone mhxanhma, to skeptiko mou einai oti 8a
> h8ela na ta exw kai ta dyo mazi, se ena application (dhladh mia pio
> ekseligmenh version tou iptables/netfilter).

nai, sigoura, o phrunas 8a pairnei kai 8a sugkrinei md5 checksums ka8e fora 
pou einai na ektelesei ena prog (ase pou auth h diadikasia mporei na 
parakamf8ei mallon eukola, giati ena prog den einai mono to image).
epipleon, apaiteitai 10 fores perissoteros xronos gia *ka8e* exec kai 
malista gia kati to opoio mporei na ginei ek twn proterwn (eukola) sto 
userspace. aporw pws den to exei kanei kanenas akoma.

> Etsi pros8eteis ena extra
> epipedo asfaleias (prepei o assos na perasei to firewall mesw enos
> well-known prwtokollou, na allaksei thn database me ta hashes twn
> executables pou exw kanei authorize na exoun network activity, na
> topo8ethsei trojaned versions twn executables ktl ktl. E, opoios exei
> ftasei ws ekei, tou bgazw to kapelo kai tou dinw kai to laptop mou na
> paiksei. Megalo maniki! :-)

an perasei to pf firewall shmainei oti kati den exeis kanei kala otan to 
esthnes...

> Me thn parapanw me8odo ypo8etw oti apokleieis mia megalh taksh automated
> attacks/rootkits ktl, epeidh akoma kai an exeis trojaned binary sto
> systhma sou, periorizetai apo to application firewall kai den mporei na
> milhsei me ton eksw kosmo. Nai, nai, kserw, mporeis na to antikatasthseis
> kai ayto an 8eleis, alla eipame, apolyth asfaleia den yparxei, security
> is a process ktl ktl.

an o intruder exei hdh uid==0 den mporeis na tou kaneis th zwh duskolh oso 
kai na xtupiesai. to mono pou mporei na ton duskolepsei einai h dikh tou 
aneparkeia.

-- 
Don't diddle code to make it faster - find a better algorithm.
            - The Elements of Programming Style (Kernighan & Plaugher)




More information about the Linux-greek-users mailing list