Victor Odhner wrote:
> KevinO wrote:
>> Two services should be run on a firewall. syslog and
>> optionally, ssh open to an internal box only.
>
> How much of an exposure would it be to run ssh
> or a web server *occasionally* from that box to
> the outside world? Would there be some devious
> way to do this? Maybe a port-knocking app that
> would allow the service to open only after a
> specific "code" has been received?
>
> The actual server would only run when I "knocked",
> so it would not be responding to routine
> probing. Is this hopelessly naive?
>
>
I wouldn't do it. The amount of risk that it is depends on what you will lose
if you are compromised. Some people that feel they have good backups and
secure servers might think it a reasonable solution.
To me it seems like a no-brainer 'cause the amount of work required to clean
up the mess afterwards is so much greater than doing it right in the first place.
Your firewall is also where you need to be most diligent applying upgrades etc..
If someone owns your firewall, they have everything....
If you want to make a connection from home, you should port-forward that into
a box on your DMZ. Then, if you really want to be able to get at your desktop,
create a 'DMZ pinhole' to allow that one type of connection from the one box
on the DMZ to the one box on your internal LAN.
Ssh has had a few compromises in the last few years. I just installed some
apache updates yesterday.
- --
KevinO
Go placidly amid the noise and waste, and remember what value there may
be in owning a piece thereof.
-- National Lampoon, "Deteriorata"
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)