RE: [TCLUG:9695] An interesting site for security

To: tclug-list@mn-linux.org
Subject: RE: [TCLUG:9695] An interesting site for security
From: Ben Kochie <ben@nerp.net>
Date: Tue, 2 Nov 1999 13:53:06 -0600 (CST)
In-Reply-To: <Pine.LNX.4.10.9911021338230.2543-100000@guinness.urw.org>

interesting, my default policy (forward) is deny, but reject on a specific
port generates a "stealth" status on this tester page.. 

interesting.. i must not have put the DENY command in properly, i retried
the same REJECT command with DENY, and now it shows up as a stealth
system.. i should email this guy and let him know that his scanner is not
looking for returned ICMP REJECT messages

Thank You,
        Ben Kochie (ben@nerp.net)

*-----------------------*  [ - * - * - * - * - * - * - * - ]
| Unix/Linux Consulting |  [ Haiku Error Message:          ]
|  PC/Mac Repair        |  [  Chaos reigns within.         ]
|   Networking          |  [  Reflect, repent, and reboot. ]
| http://nerp.net       |  [  Order shall return.          ]
*-----------------------*  [ - * - * - * - * - * - * - * - ]

 "Unix is user friendly, Its just picky about its friends."

On Tue, 2 Nov 1999, ^chewie wrote:

> On Tue, 2 Nov 1999, Ben Kochie wrote:
> 
> BK >wow, i guess linux must be based on stealth technology, i ran the
> BK >portscanner thing on my box at work, which is behind a perfect linux
> BK >ip_masq firewall (no ports open to the outside, OR inside)
> BK >
> BK >and it showed all my ports as closed (as it should)
> BK >
> BK >but it says that closed isn't good enough, SO i tried this..
> BK >
> BK >ipchains -A input -p TCP -d 0.0.0.0/0 23 -j REJECT
> BK >
> BK >and look, it now shows up as a STEATH port.. 
> 
> Oh, bad.  If you use a default policy of DENY, the querying server
> won't know what's happening.  It simply won't know if a service is
> being offered or not.  If you REJECT, you've given a potential hacker
> a bit of knowledge.  You've told the hacker that there IS indeed a
> server at that IP address and that someone has proactively REJECTED a
> packet.  That means there's a firewall installed.  Time to start
> looking for firewall exploits...  It gives someone a direction whereas
> DENY will leave them guessing...
> 
> Later!
> 
>     ^chewie
> 
> +----------------------------------------------------+
> | Chad Walstrom           mailto:chewie@wookimus.net | 
> | ICQ: 9985127           http://wookimus.net/~chewie |
> +----------------------------------------------------+
>  Need a new truck?  Check out my '97 Explorer 2-door
>    Sport at http://wookimus.net/~chewie/truck.html
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org
>

References:
- RE: [TCLUG:9695] An interesting site for security
  - From: ^chewie <chewie@guinness.urw.org>

Prev by Date: RE: [TCLUG:9695] An interesting site for security
Next by Date: RE: [TCLUG:9695] An interesting site for security
Prev by thread: RE: [TCLUG:9695] An interesting site for security
Next by thread: RE: [TCLUG:9695] An interesting site for security
Index(es):
- Date
- Thread