<div dir="ltr"><div><div>George,<br><br></div>That brings up an interesting point that I think is worth a mention. Especially in production networks, it's important to understands that firewalls, IDS/IPS and monitoring are all separate concerns. Blocking outbound traffic is generally more advisable if your worried about preventing spam from infection machines or stopping reverse shell call homes from compromised machines (the second is generally false security unless you're *really* restrictive outbound) whereas an IDS is more appropriate for detecting problems. Other than occasionally blocking port 25 outbound, I don't block outbound traffic, however I do collect a lot of metrics, use an IDS system and alert on suspicious behavior. I would recommend all sys-admins do the same on production networks, on my home network I don't bother with any of it but everyone should gauge their risk and comfort levels for themselves.<br>
<br></div>Thanks,<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Aug 30, 2014 at 3:25 PM, George Toft <span dir="ltr"><<a href="mailto:george@georgetoft.com" target="_blank">george@georgetoft.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Because I had outgoing rules defined, I
actually found out I had an infected Windows 98 box (yeah - long
time ago). Said Win98 box was running a leading AV program and
was infected by one of the most popular viruses. This event
boosted my faith in outbound monitoring and destroyed my faith in
AV products.<br>
<pre cols="72">Regards,
George Toft
</pre><div><div class="h5">
On 8/27/2014 9:39 AM, Lisa Kachold wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">The most important thing you can do is FIREWALL
outbound traffic as well as inbound.
<div><br>
</div>
<div>It's a great deal of work, but clearly nepharious traffic
will be dropped.</div>
</div>
<div class="gmail_extra">
<br>
<br>
<div class="gmail_quote">On Wed, Aug 27, 2014 at 7:32 AM, Bob
Elzer <span dir="ltr"><<a href="mailto:bob.elzer@gmail.com" target="_blank">bob.elzer@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">My question would be, how many times a day does
someone try to break into your system ?</p>
<p dir="ltr">If you don't know the answer then maybe you
should be running a firewall.</p>
<p dir="ltr">It really depends on whether your network is
secure or not, usually what secures your network is a
firewall. If that's the one on your router then that
should be enough.</p>
<p dir="ltr">Looking in your log files for strange IP's and
failed password attempts will let you know if people are
trying to get in, if you're running a web server look in
the error logs for attempts to access non existing files,
usually a bunch from the same IP.</p>
<p dir="ltr">Windows may have more vulnerabilities, but they
will still try to break into Linux systems.</p>
<p dir="ltr">Search and read about fail2ban, that's one tool
to use when you need to have a service open to the
internet.</p>
<p dir="ltr">Hope this helps<br>
</p>
<div class="gmail_quote">On Aug 26, 2014 8:15 PM, "Michael
Havens" <<a href="mailto:bmike1@gmail.com" target="_blank">bmike1@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>I hear people say, "Even Linux users need a
firewall."<br>
</div>
My question is..... why? I've runlinux since '98 w/o a
firewall (aside from the one sent with my
modem/router). Isn't that good enough?<br clear="all">
<div>
<div>
<div>:-)~MIKE~(-:</div>
</div>
</div>
</div>
<br>
---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail
settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
</blockquote>
</div>
<br>
---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>---------------------------------------------------
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
</blockquote>
<br>
</div></div></div>
<br>---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br></blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">Paul Mooring<div>
Operations Engineer</div><div>Chef</div></div>
</div>