Yubb, On 10-Nov-01 Michael Appeldorn wrote:
Hi list -
last day I setup a new box with fix IP and one NIC to the internet. (Newest 2.4.X kernel with actual netfilter).
Too keep it simple,the only thing I do on the internet is to regulary ping a certain server to check its heartbeat.
I closed all incoming traffic (icmp,tcp,udp) which was not initiated by my using "iptables -m state" flag.
netstat -an | grep -i listen | wc -l shows -> 0
Is it right, that the only way to comprise my system is to hijack a session i initiate or to exploit vulnarabilities in TCP/IP-stack/netfilter implementation
I think this is unlikely. If you only allow outgoing PINGs and incoming PONGs relative to the PINGs, there's no way for an attacker to hijack this connection, since it's ICMP.
or - when not
where an attacker can hurt me too ?
Denial of Service, Distributed Denial of Service, illicit traffic redirections via routing, and DNS spoofing. DoS/DDoS wouldn't allow an attacker to "own" your host, but to render it useless. Make sure you use syn-cookie protection, and maybe ask your upstream provider about their anti-DoS facilities. Don't expect too much, tho... Does your host trust any DNS server, or is your host a DNS slave in a bigger network with a couple of trusted masters? If so, this would open another (minimal) window of vulnerability, but if you use SuSE's netfilter implementation and firewall, your DNS traffic should be reasonably safe. Of course some serious kernel bugs could do harm, too, depending on the nature of this vuln (local or remote). To take some more precautions against remote kernel sploits, make sure your host is set up minimally, without compiler, X, or any other demon/app which you don't really need. A monolithic kernel (without any loadable modules) would also be a good idea. Lastly, don't forget your internal users/admins who may have access to this machine... "The enemy lies withing"... ;)
Michael
Boris Lorenz