[2229] in bugtraq
Re: Livingston bugs...
daemon@ATHENA.MIT.EDU (Dave Andersen)
Tue Sep 12 17:01:31 1995
Date: Tue, 12 Sep 1995 14:50:55 -0600
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Dave Andersen <angio@aros.net>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199509121758.KAA21904@lupine.org> from "Jay 'Whip' Grizzard" at
Sep 12, 95 10:58:01 am
Lo and behold, Jay 'Whip' Grizzard once said:
> I, personally, can't understand such a passive attitude on the part of
> Livingston -- I personally would call a bug where you can crash virtually
> anyone's network connection, from virtually anywhere in the world, to be
> a major bug. Maybe it's just me...
Because there's an easy solution to it which you've mentioned below:
> ObBugTraq: Apparently (at least, under limited testing), putting up a filter
> to prevent folks from getting to your login port from the outside world
> will protect you -- Except I don't _want_ to have to start filtering things
> out, and in some circuimstances (backbone routers, etc), it's not exactly
> a viable option. Do YOU want to have the bandwith of several T1's all
> running through a filter before they get off the router? No, thanks...
Not necessarily. Setting up a really simple filter to disallow
telnets to the portmaster itself is a very trivial option, and has been
discussed at _great_ length with many examples on the portmaster-users
mailing list. Something as simple as
----- Quote from Carl Rigney @ livingston -----
add filter notelnet.in
set filter notelnet.in 1 permit 192.168.2.0/24 192.168.2.2/32 tcp dst eq 23 log
set filter notelnet.in 2 deny 0.0.0.0/0 192.168.2.2/32 tcp dst eq 23 log
set filter notelnet.in 3 permit
set ether0 ifilter notelnet.in
save all
If you're having problems with your dial-in users doing this, you can
block that too by adding the following RADIUS attribute:
Framed-Filter-Id = "notelnet"
------- end quote -----------
will solve that problem and any other possible "telnetting to the
portmaster and doing <blah blah blah>" problem.
-Dave Andersen
--
angio@aros.net Complete virtual hosting and business-oriented
system administration internet services. (WWW, FTP, email)
http://www.aros.net/ http://www.aros.net/about/virtual/
