[CentOS] an actual hacked machine, in a preserved state

Les Mikesell lesmikesell at gmail.com
Tue Jan 3 15:48:03 UTC 2012


On Tue, Jan 3, 2012 at 9:31 AM, Marc Deop <damnshock at gmail.com> wrote:
>
>> Openvpn runs over UDP.  With the tls-auth option it won't respond to
>> an unsigned packet.  So without the key you can't tell the difference
>> between a listening openvpn or a firewall that drops packets silently.
>>  That is, you can't 'find' it.
>
> We are not going to argue drop vs reject, are we? :P

It follows the usual pattern: dropping is more secure in that you
can't tell if anything is there at all where rejecting is more
convenient because attempts to open a connection don't have to wait
for timeouts.  Pick the one that meets your specific need.

-- 
  Les Mikesell
    lesmikesell at gmail.com



More information about the CentOS mailing list