George,

That brings up an interesting point that I think is worth a mention.  Especially in production networks, it's important to understands that firewalls, IDS/IPS and monitoring are all separate concerns.  Blocking outbound traffic is generally more advisable if your worried about preventing spam from infection machines or stopping reverse shell call homes from compromised machines (the second is generally false security unless you're *really* restrictive outbound) whereas an IDS is more appropriate for detecting problems.  Other than occasionally blocking port 25 outbound, I don't block outbound traffic, however I do collect a lot of metrics, use an IDS system and alert on suspicious behavior.  I would recommend all sys-admins do the same on production networks, on my home network I don't bother with any of it but everyone should gauge their risk and comfort levels for themselves.

Thanks,


On Sat, Aug 30, 2014 at 3:25 PM, George Toft <george@georgetoft.com> wrote:
Because I had outgoing rules defined, I actually found out I had an infected Windows 98 box (yeah - long time ago).  Said Win98 box was running a leading AV program and was infected by one of the most popular viruses.  This event boosted my faith in outbound monitoring and destroyed my faith in AV products.
Regards,

George Toft
On 8/27/2014 9:39 AM, Lisa Kachold wrote:
The most important thing you can do is FIREWALL outbound traffic as well as inbound.

It's a great deal of work, but clearly nepharious traffic will be dropped.


On Wed, Aug 27, 2014 at 7:32 AM, Bob Elzer <bob.elzer@gmail.com> wrote:

My question would be, how many times a day does someone try to break into your system ?

If you don't know the answer then maybe you should be running a firewall.

It really depends on whether your network is secure or not, usually what secures your network is a firewall. If that's the one on your router then that should be enough.

Looking in your log files for strange IP's and failed password attempts will let you know if people are trying to get in, if you're running a web server look in the error logs for attempts to access non existing files, usually a bunch from the same IP.

Windows may have more vulnerabilities, but they will still try to break into Linux systems.

Search and read about fail2ban, that's one tool to use when you need to have a service open to the internet.

Hope this helps

On Aug 26, 2014 8:15 PM, "Michael Havens" <bmike1@gmail.com> wrote:
I hear people say, "Even Linux users need a firewall."
My question is..... why? I've runlinux since '98 w/o a firewall (aside from the one sent with my modem/router). Isn't that good enough?
:-)~MIKE~(-:

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss



---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss



--
Paul Mooring
Operations Engineer
Chef