-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Victor Odhner wrote: > KevinO wrote: >> Two services should be run on a firewall. syslog and >> optionally, ssh open to an internal box only. > > How much of an exposure would it be to run ssh > or a web server *occasionally* from that box to > the outside world? Would there be some devious > way to do this? Maybe a port-knocking app that > would allow the service to open only after a > specific "code" has been received? > > The actual server would only run when I "knocked", > so it would not be responding to routine > probing. Is this hopelessly naive? > > I wouldn't do it. The amount of risk that it is depends on what you will lose if you are compromised. Some people that feel they have good backups and secure servers might think it a reasonable solution. To me it seems like a no-brainer 'cause the amount of work required to clean up the mess afterwards is so much greater than doing it right in the first place. Your firewall is also where you need to be most diligent applying upgrades etc.. If someone owns your firewall, they have everything.... If you want to make a connection from home, you should port-forward that into a box on your DMZ. Then, if you really want to be able to get at your desktop, create a 'DMZ pinhole' to allow that one type of connection from the one box on the DMZ to the one box on your internal LAN. Ssh has had a few compromises in the last few years. I just installed some apache updates yesterday. - -- KevinO Go placidly amid the noise and waste, and remember what value there may be in owning a piece thereof. -- National Lampoon, "Deteriorata" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBnbCeI3MJ/OwKti0RAprQAJ4nMYEPcS2XA9ajgQfiGIqNMGjyuQCeOGvy EFv5Qk39lmdOqN6IN0NhEHs= =wBdq -----END PGP SIGNATURE----- --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss