From: Peter van den Heuvel (peterbank-connect.com)
Date: Thu Jul 10 2003 - 04:50:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I think a protection can only let pass established connection through
> your iptables firewall and drop all ports used by known trojans. The
> best is to drop all trojanconnections (INPUT-, FORWARD- and
> OUTPUT-CHAIN).

1) "To only let pass an established connection"? Please explain how you
imagine connections getting established as at that stage they are NOT
yet established and no trafic will pass.
2) Code red is a worm and it's propagation does not relate to it also
being a trojan.
3) There is no such thing as "all known ports" used by trojans.
4) If you need security, you drop or reject every thing except what you
require.
5) You must do so with regard to direction. And even that is of limited
help as the more advanced trojans use various chat services to actively
connect to from the inside out.
6) Many worms and trojans use legitimate ports AND the designated
protocol along with it. Then they exploit some weekness in the server
(or client) software (often buffer overflows) to make the software
behave outside it's specification. Code red in fact uses http over port
80. In fact a mighty security suggestion: block port 80 towards your
web-server.

Peter

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]