Re: Blocking port automatically

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Monday 19 February 2007, James Wilkinson wrote:
>Amadeus W. M. wrote:
>> portsentry was specifically designed for this purpose. Beware though,
>> dynamic port locking is a two edge sword. It can be used for a dos, as
>> someone at evil.com can masquerade as one of your legitimate users,
>> etc.
>
>(DOS = Denial of Service = stopping legitimate users from accessing a
>site.)
>
>Actually, it takes a bit more than that -- at least for FTP (and SSH).
>
>Both FTP and SSH use TCP -- a TCP connection needs to be set up before
>users can start the process of logging in. This involves a three-way
>handshake between the client and the server. Both server and client send
>various data (including deliberately hard-to-guess sequence numbers)
>which the other side is then expected to know and use.
>
>This means that if a client connects to a server pretending to be
>172.27.5.39, the server will send its responses to 172.27.5.39, and the
>client will be expected to know what they are. That makes spoofing
>TCP/IP connections impractical unless either
>1) the attacker is on your local network (in which case they have a
>number of other DOS possibilities, including pretending to be the router
>and DOSsing the entire site);
>2) the attacker is on the same local network as 172.27.5.39, (in which
>case they also have a range of other attacks);
>3) the attacker has access to the routers between the two computers, or
>can affect the routing tables, in which case they have plenty of
>opportunities for introducing other DOS attacks (and this is extremely
>rare in practice); or
>4) for some reason (e.g. NAT, proxying, or dynamic IP address
>assignment) both the attacker and a legitimate client appear to come
>from the same IP address.
>
>So if a TCP/IP address makes it into your firewall rules, then either it
>or something on the way *is* bad, and the chances are that it's at
>either end of the link. That makes it more of a local security problem
>than anything else -- you can't police the Internet, but you should be
>able to police (or get someone to police) local networks.
>
Portsentry can be a valuable tool in the defense dept.  But its main forte 
is its interactions with tcpwrappers and iptables.  I used it for years 
and the only time I ever had to override its judgment and clear a sites 
address out of my firewalls /etc/hosts.deny file was when the offending 
site was my primary verizon dns server. 

In 2 cases I looked at the logs, then made the secondary server the first 
one in order so I could get email flowing again.  And the first message I 
sent both times was a nastygram to verizon.net informing them that their 
windows dns server had been 0wned and would they please re-image it AND 
install the latest patches from Redmond if they insisted on using that 
insecure crap.  They of course never ack'ed the message, but both times 
the servers went down the next day for about 3 hours each.  The first 
attack completely bricked a cheap seimans router I had just bought, but 
it didn't get past the portsentry/tcpwrappers I was using way back then.  
So it went back and a linksys came home.  They got through the linksys 
one more time but didn't hurt it, and portsentry shut my dns off again.  
Another attacker from mainland china tried about a year later, and he 
also go shut down by portsentry on the first syn packet.  The only trail 
left behind was the entry in the log.

Its very hard to further your attack on a machine when your address is one 
that's never going to be responded to by the machine so protected.  You 
cannot prove the machine even exists, no ping response, nothing comes 
back once portsentry has been tripped. And you can make it very paranoid 
indeed.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2007 by Maurice Eugene Heskett, all rights reserved.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux