Mailinglist Archive: opensuse (770 mails)

< Previous Next >
Re: [opensuse] Router firewall vs openSUSE firewall
Bob Williams [28.08.2012 16:05]:
On 28/08/12 14:25, Billie Walsh wrote:
On 08/28/2012 06:49 AM, James Knott wrote:
Bob Williams wrote:
Is it safe to rely on the router firewall alone, combined with NAT,
always accepting that safety is a relative term?

Well, many commercial boxes run on Linux or BSD.

My firewall/router is openSUSE 11.4 on an old Compaq computer. Of
course, security in depth can be more secure than a single layer.


My only thought is, "How bad would someone want to get into your system?"

Here at home we just rely on the routers firewall. We run the cheap
Cisco/Linksys routers with the DDWRT software. It's a bit better than
the standard Linksys software. We turn off broadcast for wireless. That
way the system is not visible to a casual scan. There's nothing here
that would warrant someone spending an excessive amount of time hacking
into.


Some time ago I looked at /var/log/messages and was amazed to see
someone was running a script to try and get through port 22. Of course,
sshd rejected every attempt, but it prompted me to move ssh to a
different port.

So, there's always someone out there scanning for open ports. Apart from
that, I just have the usual amount of personal information on this machine.

I think what I'll end up doing is continue to run both firewalls, but
disable the openSUSE one temporarily for the time I want to watch a
video, browse my photos, etc.

Don't you have a firewall on the router? Why do you allow access on port
22 from the outside there? Choose a port that is known just by you (for
example, 7722) and make the router forwarding this port to your host's
port 22. Do not allow direct access, because this will just fill your
logs with the login attempts of script kiddies.

Second, try something like fail2ban. On our aged NX server (port 22
accessible from outside), we use this as protection, and about 99% of
the attacks stop after 5 attempts when the client is disallowed for the
first time.

HTH
Werner

--

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups