[1862] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Services not required?

daemon@ATHENA.MIT.EDU (MushyPea)
Sun Jun 14 05:26:35 1998

Date: Thu, 11 Jun 1998 15:17:12 +0100 (BST)
From: MushyPea <mushypea@dominion.net.uk>
Reply-To: MushyPea <mushypea@dominion.net.uk>
To: linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.96.980611145549.13622A-100000@limbo.alpha4.com>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

On Thu, 11 Jun 1998, Michael H. Warfield wrote:

> John \"E.R.\" Jasen enscribed thusly:
> 
> > On Tue, 9 Jun 1998, A Dark Elf wrote:
> 
> > Ummm ... A lot of sites are set to interrogate your identd server when 
> > you access them for (mail|ftp|telnet|etc). It makes a good first defense
> > against various 'badness'.
> 
> Identd aka auth is spoofable / forgeable on a box you have control.
> For that reason, nobody generally "relies" on it, even though there are
> plenty of services which inquire upon it.  The biggest problem is making
> sure you return SOMETHING for it.  If you don't want to run it, make sure
> you return an ICMP port unreachable or some such.  Lot's of times 
> firewalls will just drop unwanted stuff on the floor to avoid revealing
> anything about any of the systems behind them.  If you don't want to
> support identd and don't want to return network host information to "error
> probes" then return a uniform error on that port for any address in your
> address space. Otherwise, every time you send an E-Mail message, the smtp
> server at the other end will try and contact your ident server and have to
> time out.  That introduces rediculous delays in mail delivery.

Another 'gotchya' to be aware of:
I tried using ipfwadm as follows:

/sbin/ipfwadm -I -a reject -P tcp -S 0.0.0.0/0 -D a.b.c.d/32 113

When an outside server decided it wanted to check my ident daemon, it
attempts a connection, and the Linux packet filtering code  sent back a
'host administratively unreachable' packet (ICMP type 3, sub-type 10,
iirc).  This in itself seems okay, apart from two things:

1) You are blatantly advertising the firewalling.

2) Certain OS's don't recognise the packet - I am informed that certain
versions of SunOS simply ignore the packet completely, and therefore
re-send the SYN packet until the TCP session times out - exactly what
we're trying to avoid.

Number 2 comes from experience of trying to email a DNS change to
auto-net@nic.uk, and puzzling why it wouldn't ever leave my machine.  In
the end, with assistance from a technician at Nominet, we figured it out.
Now, I just have it dropped completely - my attempt at being 'polite' to
other mail servers seemed to simply cause more problems.

Just thought I'd share, hope that's of some use to the discussion.


Ian.

--
Ian Marsh
mushypea@dominion.net.uk                                   ... Email
http://www.etchq.demon.co.uk/                              ... WWW
http://www.dominion.net.uk/ telnet://dominion.net.uk:2468/ ... Dominion
http://www.alpha4.com/      telnet://alpha4.com:3214/      ... MBa4

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post