Sam Kuper escribió:
2008/11/10 Sam Kuper <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
By using REJECT instead of DROP, you have no stealth. This means
you can be port-scanned to look for weaknesses, e.g. unpatched
OpenSSH vulnerabilities, etc.
That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
significant. If you're allowing and inbound traffic, though, any
unpatched flaws in the app servicing that inbound traffic could expose
your system to attack.
Also, by REJECTing rather than DROPping, you might be more vulnerable
to DoS attacks.
Consider using a default (LOG and) DROP policy instead. Michael Rash's
site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
resources for learning about this and implementing it.
Ok, i have set default policy in DROP. What more could I do?
Thank you very much.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
