Amadeus W. M. wrote:
> portsentry was specifically designed for this purpose. Beware though,
> dynamic port locking is a two edge sword. It can be used for a dos, as
> someone at evil.com can masquerade as one of your legitimate users, etc.
(DOS = Denial of Service = stopping legitimate users from accessing a
site.)
Actually, it takes a bit more than that -- at least for FTP (and SSH).
Both FTP and SSH use TCP -- a TCP connection needs to be set up before
users can start the process of logging in. This involves a three-way
handshake between the client and the server. Both server and client send
various data (including deliberately hard-to-guess sequence numbers)
which the other side is then expected to know and use.
This means that if a client connects to a server pretending to be
172.27.5.39, the server will send its responses to 172.27.5.39, and the
client will be expected to know what they are. That makes spoofing
TCP/IP connections impractical unless either
1) the attacker is on your local network (in which case they have a
number of other DOS possibilities, including pretending to be the router
and DOSsing the entire site);
2) the attacker is on the same local network as 172.27.5.39, (in which
case they also have a range of other attacks);
3) the attacker has access to the routers between the two computers, or
can affect the routing tables, in which case they have plenty of
opportunities for introducing other DOS attacks (and this is extremely
rare in practice); or
4) for some reason (e.g. NAT, proxying, or dynamic IP address
assignment) both the attacker and a legitimate client appear to come
from the same IP address.
So if a TCP/IP address makes it into your firewall rules, then either it
or something on the way *is* bad, and the chances are that it's at
either end of the link. That makes it more of a local security problem
than anything else -- you can't police the Internet, but you should be
able to police (or get someone to police) local networks.
James.
--
E-mail: james@ | [The Child Support Agency] spent $500M on a computer
aprilcottage.co.uk | system from EDS that did not work. The solution? Give EDS
| $250M more to fix the broken system. I'm sure we can all
| recognise the two simple errors made there. -- Geoff Lane
