starting by iptable deny all of china is a good start. - Re:OT? Linux-based trojans now targeting WRT and other linux-based routers
Bryan O'Neal
boneal at cornerstonehome.com
Mon Mar 30 23:31:03 MST 2009
If you should never get a request outside the US why should you look any
further to deny it? This is not complete protection by any measure but it
makes an easy first step. I used to go one step further and block my
dynamic hosted websites (where you don't get to mess with iptables) from
being touched by people out side their target zone (usually US and Canada).
It immediately cuts the number of admin.php request by more then half ;)
That said you still need additional protection for ips you do allow through
to the next set of rules.
-----Original Message-----
From: plug-discuss-bounces at lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Craig
White
Sent: Monday, March 30, 2009 8:39 AM
To: Main PLUG discussion list
Subject: Re: starting by iptable deny all of china is a good start. - Re:OT?
Linux-based trojans now targeting WRT and other linux-based routers
On Mon, 2009-03-30 at 08:30 -0400, kitepilot at kitepilot.com wrote:
> And how do I:
> "starting by iptable deny all of china" ?
>
> I can figure out the "iptable" part, it is the "china" part (and other
> possible places where I know I will only get spam from) that I am
> unaware of...
----
I do not believe that this is constructive thinking. It's easy enough for
someone in China to use a computer somewhere else as a base for operations
and that security doesn't come from just arbitrarily picking ranges of ip
addresses to block. Security would necessarily require effectiveness from
virtually everywhere - possibly even your own 'trusted' lan.
Spam control on the other hand doesn't rely much on iptables at all but
rather many layers of implementation such as RBL's, greylisting (optional
but effective), spamassassin, smtp level restrictions and more.
Craig
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list