

Does your webapp really need network access? - pmoriarty
https://blog.flameeyes.eu/2014/10/does-your-webapp-really-need-network-access

======
bradleyland
This is really great advice. Servers should implement a policy of default deny
wherever possible. While it might not block the attacks directly, but it can
significantly inhibit the attacker's ability to quickly pivot to a useful
pwned box. For example, most scripted attacks leverage an exploit, then
immediately download a payload, execute, and phone home to "register" the box
on the attacker's network of owned machines. Having a solid set of firewall
rules based on a base policy of default deny will stop these scripted attacks,
which constitutes the vast majority of the attacks you'll see knocking on your
door in the wild.

