HOWTO: Security

[Hal Murray]

esr at thyrsus.com said:
> See my reply to Gary and your text about NATs and firewalls.  Nobody has
> convinced me that this procedure *isn't* taking security seriously, nor will
> they until I understand how any machine other than the one I port-forward to
> is visible to outsiders. 

Your mention of port-forward assumes you are behind a NAT box.  That's not 
true in all setups.

Try "lastb | grep pi -w" on your bastion machine to get an indication of how 
persistent the bad guys are.  I'm averaging one a day.  You can do the math.  
It's far from a sure thing, but there are too many stories out there along 
the lines of "my box was hacked within 5 minutes".


Gary's comments about IPv6 are important, at least in theory.  lastb doesn't 
show me any probes from IPv6 addresses on the machines I looked at.  I'm 
guessing the bad guys aren't geared up to scan IPv6 yet.  Brute force isn't 
going to find interesting targets - there are too many bits in IPv6 
addresses.  I wonder when the bad guys will be selling IPv6 addresses the 
same way they sell email addresses.


-- 
These are my opinions.  I hate spam.