Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: Re: [suse-security] SuSEfirewall2 behaves strangely
From: Tom Knight (thomas.knightahds.ac.uk)
Date: Fri Jan 09 2004 - 06:52:05 CST
> -----Original Message-----
> From: Barry Gill [mailto:brry.co.za]
> Sent: 09 January 2004 11:45
> To: suse-securitysuse.com
> Subject: RE: Re: [suse-security] SuSEfirewall2 behaves strangely
> > > Does anybody know how I can tell the SuSEfirewall2...
> > > ... to stealth *all* ports to the internet, including port 113.
> Try FW_REJECT= yes
> rejecting packest rather than dropping packets tells the querying
> system that that service does not exist.
> so unless the rules allow for a connection, packets will be rejected.
> causes a bit of extra bandwidth, but at least it gives no info
> about your system....
Surely what you want to do is not tell someone the sevice doesn't exist, but
rather not tell them anything? If you drop the packet they don't even know
that the port exists, not that the port exists and is configured not to let
them access it.
Trying to ftp to (say): 188.8.131.52 I get a "connection refused"
Oh ho, a machine is there, what else can I try?
If the attacker tries port 1 against 184.108.40.206, port 2 against 220.127.116.11
etc, he'll find your machine and attack. This is one of the port scans I've
seen in use against my old work.
If you drop everything (except for externally available ports), then there's
a good chance the attacher won't try (say) port 21 against 18.104.22.168, and
so won't see that that machine exists.
Also read the comments of /etc/syconfig/SuSEfirewall2 for that section, in
the area labelled "EXPERT OPTIONS - all others please don't change these!":
# Do you want to REJECT packets instead of DROPing?
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# Choice: "yes" or "no", if not set defaults to "no"
Dropping packets is actually a line of defense, and you really should use
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here