[1891] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Services not required?

daemon@ATHENA.MIT.EDU (Gigi Sullivan)
Wed Jun 17 03:11:47 1998

Date: Tue, 16 Jun 1998 09:42:36 +0200
From: Gigi Sullivan <gigi.sullivan@writeme.com>
To: MushyPea <mushypea@dominion.net.uk>
CC: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

Howdy there to all !!! :)
Greeting from Italy.

MushyPea wrote:

> On Thu, 11 Jun 1998, Michael H. Warfield wrote:
>

[snip...]

> > Identd aka auth is spoofable / forgeable on a box you have control.
> > For that reason, nobody generally "relies" on it, even though there are
> > plenty of services which inquire upon it.  The biggest problem is making
> > sure you return SOMETHING for it.  If you don't want to run it, make sure
> > you return an ICMP port unreachable or some such.  Lot's of times
> > firewalls will just drop unwanted stuff on the floor to avoid revealing
> > anything about any of the systems behind them.  If you don't want to
> > support identd and don't want to return network host information to "error
> > probes" then return a uniform error on that port for any address in your

[snip...]

> Another 'gotchya' to be aware of:
> I tried using ipfwadm as follows:
>
> /sbin/ipfwadm -I -a reject -P tcp -S 0.0.0.0/0 -D a.b.c.d/32 113
>
> When an outside server decided it wanted to check my ident daemon, it
> attempts a connection, and the Linux packet filtering code  sent back a
> 'host administratively unreachable' packet (ICMP type 3, sub-type 10,
> iirc).  This in itself seems okay, apart from two things:
>
> 1) You are blatantly advertising the firewalling.

Sure, unless you decide to replace the ipfwadm line above with this one:

/sbin/ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D a.b.c.d/32 113

This will not generate an icmp message.

> 2) Certain OS's don't recognise the packet - I am informed that certain
> versions of SunOS simply ignore the packet completely, and therefore
> re-send the SYN packet until the TCP session times out - exactly what
> we're trying to avoid.

Since you deny that service (identd in our example) you can also run a little
daemonthat opens a raw socket and wait for tcp segment that will be delivered to
the identd service.
Once the segment is arrived on that raw socket, you can simple RST the
connection on the other side, so one will know neither if you have a "simple" fw
running, nor if your identd service is down.

Well, This is only my humble opinion :), so feel free to give me some advices if
I'm in wrong
We learn always :)

Have a good time :)

Gigi Sullivan

P.S.
Uh, well .. I'd also like to apologize for my bad english.
---------------------------------------------------------------------------------------------

Linux is really CUTE: Cool User Text Environment :) enjoy yurself

>
>
> Number 2 comes from experience of trying to email a DNS change to
> auto-net@nic.uk, and puzzling why it wouldn't ever leave my machine.  In
> the end, with assistance from a technician at Nominet, we figured it out.
> Now, I just have it dropped completely - my attempt at being 'polite' to
> other mail servers seemed to simply cause more problems.
>
> Just thought I'd share, hope that's of some use to the discussion.
>
> Ian.
>
> --
> Ian Marsh
> mushypea@dominion.net.uk                                   ... Email
> http://www.etchq.demon.co.uk/                              ... WWW
> http://www.dominion.net.uk/ telnet://dominion.net.uk:2468/ ... Dominion
> http://www.alpha4.com/      telnet://alpha4.com:3214/      ... MBa4
>
> --
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
>
> To unsubscribe:
>   mail -s unsubscribe linux-security-request@redhat.com < /dev/null

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post