Firewall security: Problems with simple Samba file share 3594

Comment on where you see a problem:

What you want to be thinking about is "what does my action defend me against"? In the case of restricting ssh source IPs to not be from china, nothing - there was no attack that could have been produced from china in particular.

I suspect you have some notion that you are surrounded by a sea of attackers, and that one or the other of their attacks is as likely or not to succeed as any other, so you win by reducing the total number of possible attacks.

False. There are some attacks that have only a probability of success each attempt, but that becomes irrelevant when you consider the attack continued over a day, for example. Do you cut down on the probability of somebody succeeding, rather than a particular person succeeding, by restricting IPs? No - because you are not surrounded by a sea of attackers! I already argued this with you! Any attack that became endemic would be detected by someone somewhere, fixed by someone somewhere, and the immunisation distributed by your distro, thanks to open source. WELL before it became a blip on your horizon.

The effect of restricting your source IPs is the same as reducing the number of persons you have contact with in the middle of a measles epidemic. It lengthens the topology of the epidemic, it does not make your probability of getting it "zero", it simply increases the expected time until you get the disease. Hopefully until beyond the time the disease dies out! Or beyond the time you immunise yurself with the newly developed vaccine. But I already argued this - in open source the transmission rate is not high enough because of the heterogeneity of the medium, so a disease spreads slowly. And the number of knowledgable victims is so great that a defense is developed within 3-8 attacks. And the speed of response is so fast that the defense is checked and distributed within hours. This is much faster a response than the disease spreads, so the disease is self-quenched by the response it provokes.

It's like living in an environment where as soon as somebody develops a disease, their antibodies are transmitted to the rest of the population. A "successful" disease kills itself by the response it evokes. Unsuccessful diseases we don't care about - they die out by definition.

And note that potentially successful diseases must attack generally open ports - otherwise they won't have a medium in which to spread!

Peter