erinammons.com » firewall http://www.erinammons.com the life and times of Erin Mon, 16 Jan 2012 00:16:06 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 What Firewalls Won’t Do http://www.erinammons.com/2009/10/02/what-firewalls-wont-do http://www.erinammons.com/2009/10/02/what-firewalls-wont-do#comments Sat, 03 Oct 2009 01:20:35 +0000 Erin http://www.erinammons.com/?p=236 Continue reading ]]> I had a customer ask me in a ticket today, “why isn’t my hardware firewall protecting my server against this brute-force [login] attack?”

My answer was “a hardware firewall will not protect your server against a brute-force attack.”

Why? because its not designed to do that. A hardware firewall is simply a traffic filter. It allows, disallows, or in some cases, routes traffic based on rules you set. It doesn’t know that Joe User’s account shouldn’t be logged into repeatedly from a Ukranian IP unless you tell it to only allow certain IPs through for that protocol.

That’s why we have scripts like BFD (http://www.rfxn.com/projects/brute-force-detection/).

Its also a good idea to move services like SSH to a random non-default port, disable direct root logins, and of course, only allow certain IPs to access services like SSH.

]]> http://www.erinammons.com/2009/10/02/what-firewalls-wont-do/feed 0