RE: starting by iptable deny all of china is a good start. -…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
MLisa Kachold at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Bryan O'Neal
Date:  
To: 'Main PLUG discussion list'
Old-Topics: Re: starting by iptable deny all of china is a good start. - Re: OT? Linux-based trojans now targeting WRT and other linux-based routers
Subject: RE: starting by iptable deny all of china is a good start. - Re:OT? Linux-based trojans now targeting WRT and other linux-based routers
If you should never get a request outside the US why should you look any
further to deny it? This is not complete protection by any measure but it
makes an easy first step. I used to go one step further and block my
dynamic hosted websites (where you don't get to mess with iptables) from
being touched by people out side their target zone (usually US and Canada).
It immediately cuts the number of admin.php request by more then half ;)

That said you still need additional protection for ips you do allow through
to the next set of rules.

-----Original Message-----
From:
[mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Craig
White
Sent: Monday, March 30, 2009 8:39 AM
To: Main PLUG discussion list
Subject: Re: starting by iptable deny all of china is a good start. - Re:OT?
Linux-based trojans now targeting WRT and other linux-based routers

On Mon, 2009-03-30 at 08:30 -0400, wrote:
> And how do I:
> "starting by iptable deny all of china" ?
>
> I can figure out the "iptable" part, it is the "china" part (and other
> possible places where I know I will only get spam from) that I am
> unaware of...
----
I do not believe that this is constructive thinking. It's easy enough for
someone in China to use a computer somewhere else as a base for operations
and that security doesn't come from just arbitrarily picking ranges of ip
addresses to block. Security would necessarily require effectiveness from
virtually everywhere - possibly even your own 'trusted' lan.

Spam control on the other hand doesn't rely much on iptables at all but
rather many layers of implementation such as RBL's, greylisting (optional
but effective), spamassassin, smtp level restrictions and more.

Craig

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-decent non-embeded firewallRE: starting by iptable deny all of china is a good start. - Re:OT? Linux-based trojans now targeting WRT and other linux-based routers->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)