Morning
I just about agree with Jeroen.
* on the Wed, Sep 16, 2009 at 10:38:21AM +0200, Jeroen Massar wrote:
As you say 'webhosting' your biggest worry though won't be that, it will be all the great php/perl/whatever scripts written by people who haven't figured out what security means causing great things as SQL injections or just simple remote file inclusions. (aka, enable php error logging in full to a file, and see what junk you get, and you might want to consider running PHP with Suhosin.
That's not enough, by far. You might consider to use mod_security.
I use to see some dirty forged packets hiting the servers.
Nothing you can do about it as upstream needs to take care of spoofed packets.
You can do some rough ingress-filtering on your routers. And you definitely should do egress-filtering on them, so YOU can't become a source of spoofed packets.
Nevertheless, iptables can take care of most of the junk.
Yes, I'd recommed to do just that. Filter out any junk with iptables; block any ports you're not using for services from the outside (so any user on your machine running a daemon can't have connections to it from the outside), and limit outgoing connections. I personally also like to rate-limit ICMP.
But don't be over-zealous, especially not where ICMP is concerned: http://portal.acm.org/citation.cfm?id=1050542
Cheers Seegras