On Monday 19 February 2007, James Wilkinson wrote: >Amadeus W. M. wrote: >> portsentry was specifically designed for this purpose. Beware though, >> dynamic port locking is a two edge sword. It can be used for a dos, as >> someone at evil.com can masquerade as one of your legitimate users, >> etc. > >(DOS = Denial of Service = stopping legitimate users from accessing a >site.) > >Actually, it takes a bit more than that -- at least for FTP (and SSH). > >Both FTP and SSH use TCP -- a TCP connection needs to be set up before >users can start the process of logging in. This involves a three-way >handshake between the client and the server. Both server and client send >various data (including deliberately hard-to-guess sequence numbers) >which the other side is then expected to know and use. > >This means that if a client connects to a server pretending to be >172.27.5.39, the server will send its responses to 172.27.5.39, and the >client will be expected to know what they are. That makes spoofing >TCP/IP connections impractical unless either >1) the attacker is on your local network (in which case they have a >number of other DOS possibilities, including pretending to be the router >and DOSsing the entire site); >2) the attacker is on the same local network as 172.27.5.39, (in which >case they also have a range of other attacks); >3) the attacker has access to the routers between the two computers, or >can affect the routing tables, in which case they have plenty of >opportunities for introducing other DOS attacks (and this is extremely >rare in practice); or >4) for some reason (e.g. NAT, proxying, or dynamic IP address >assignment) both the attacker and a legitimate client appear to come >from the same IP address. > >So if a TCP/IP address makes it into your firewall rules, then either it >or something on the way *is* bad, and the chances are that it's at >either end of the link. That makes it more of a local security problem >than anything else -- you can't police the Internet, but you should be >able to police (or get someone to police) local networks. > Portsentry can be a valuable tool in the defense dept. But its main forte is its interactions with tcpwrappers and iptables. I used it for years and the only time I ever had to override its judgment and clear a sites address out of my firewalls /etc/hosts.deny file was when the offending site was my primary verizon dns server. In 2 cases I looked at the logs, then made the secondary server the first one in order so I could get email flowing again. And the first message I sent both times was a nastygram to verizon.net informing them that their windows dns server had been 0wned and would they please re-image it AND install the latest patches from Redmond if they insisted on using that insecure crap. They of course never ack'ed the message, but both times the servers went down the next day for about 3 hours each. The first attack completely bricked a cheap seimans router I had just bought, but it didn't get past the portsentry/tcpwrappers I was using way back then. So it went back and a linksys came home. They got through the linksys one more time but didn't hurt it, and portsentry shut my dns off again. Another attacker from mainland china tried about a year later, and he also go shut down by portsentry on the first syn packet. The only trail left behind was the entry in the log. Its very hard to further your attack on a machine when your address is one that's never going to be responded to by the machine so protected. You cannot prove the machine even exists, no ping response, nothing comes back once portsentry has been tripped. And you can make it very paranoid indeed. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2007 by Maurice Eugene Heskett, all rights reserved.
