Limiting Administration by OS

This is the third and probably last of my ramblings on the subject of locking down a machines potential attack footprint by mass filtering. While I’ve already mentioned blocking certain ports to entire countries (mostly to stop SPAM) and only allowing access to other ports to geographically local IPs (to stop attacks on critical services like SSH for admins) it is also worth mentioning OS detection.

Certain products and operating systems, such as P0F, OpenBSD’s PF etc, can detect what operating system someone is trying to connect with. Now this alone isn’t very interesting but when you build it in to a firewall such as PF you suddenly gain another trick in the tool box.

Most machines in botnets for example are Windows machines. If your admin team use Linux 2.4 then lock down the settings on your firewall to only allow 2.4, this way even if the attackers are local (in terms of geographical IP ranges) they still need to be using the correct operating system to even attempt a connection.

Putting the three concepts I’ve discussed together you’ve reduced the potential for attack on your administration services from anyone in the world, to anyone in your city / country and then to anyone in your city / country running your chosen operating system. And then you can require them to get through key authentication AND a username password check :)