Linked by Thom Holwerda on Thu 5th May 2011 21:07 UTC, submitted by sawboss
Games There's fail, there's epic fail, and then there's Sony. You may've thought it wasn't possible, but Sony has just outdone itself on the fail scale, forcing us to add yet another notch. During the congressional testimony this morning, Dr Gene Spafford of Purdue University revealed just how badly Sony managed its Playstation Network servers. It's... Bad.
Thread beginning with comment 472043
To view parent comment, click here.
To read all comments associated with this story, please click here.
WereCatf
Member since:
2006-02-15

.. and lacking packet filtering rules.. really? If it's a linux kernel, it has packet filtering (a firewall) by default in the kernel.. just friggin use it.. iptables is your friend.


Having ipfiltering on the same machine that is running Apache is pointless. If the attacker successfully breaks in there there is nothing stopping him from removing all the ipfilters, too. That's why you should always have a separate firewall that can only be managed from inside the internal network between Internet-side servers and the internal network.

Reply Parent Score: 2

jabbotts Member since:
2007-09-06

I agree. A seporate appliance or server box between your server and the outside world is preferable. iptables on the local machine is still better than nothing though and head and sholders better than Sony seems to have done. All the mitigation in the world on top of your apache isn't going to be much good if iptables underneath your apache still leaves the system wide open (not to mention the number of services that use a loop back port but have no justification for being accessible from outside localhost).

Reply Parent Score: 2

Snapper Member since:
2005-11-16

[quote]
Having ipfiltering on the same machine that is running Apache is pointless. If the attacker successfully breaks in there there is nothing stopping him from removing all the ipfilters, too. That's why you should always have a separate firewall that can only be managed from inside the internal network between Internet-side servers and the internal network.[/quote]

Nope, it is not pointless. It prevents the admin from making a mistake in opening another app by mistake or due to a problem with an update process.

It is another layer of defense. I you know your Apache box is only supposed to be listening on port 80/443 then put the IP filter in there. It may just protect you from an internal compromise.

Reply Parent Score: 1