[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Re: [suse-security] SuSEfirewall2 behaves strangely



>Surely what you want to do is not tell someone the sevice doesn't exist,
but
>rather not tell them anything? If you drop the packet they don't even know
>that the port exists, not that the port exists and is configured not to let
>them access it.

Any port scanner worth the two minutes it takes to install will very easily
tell you that the machine you are querying exists and is FIREWALLED when you
DROP packets.
In fact, ports where firewalls drop packets are labelled by nmap (arguably
one of the most common and prolific port scanners around) as firewalled.

Refusing a connection will keep a maliscious intender guessing for a lot
longer until they get bored and go away.

This will be the case with script kiddies, but any advanced hacker is not
going to be deterred by filtered ports anyways, there are far more
simplistic methods to break into somebodies network.

The saying goes "A directed attack, whether it is Denial of Service or
information theft is virtually impossible to stop. Much like a car alarm,
the firewall acts as a deterrent, but the experienced and determined thief
will get your car eventually."

# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.

Yes, as I said, this causes extra bandwidth useage, but it is so little
anyways.
A half decent probe would be trying to avoid detection by spacing packets,
randomising ports, connecting from different machines etc, all in all the
time is usually an extended period, so the impact is minimal.

>Dropping packets is actually a line of defense, and you really should use
>it.

Depending on your view.

Security through obscurity is a well practised artform.

simple stuff like, never use port 22 for SSH, use 36789 or whatever, but
something well above 20000.
Running a port scan on all 65535 ports is a very time and resource consuming
thing, so keep any service off its default port where you can.

anyways, my point is that the less information you can gather about a target
system, the more time and resource has to be used to achieve your goal.

DROPping packets shortens that time.
They know the firewall exists.
They know that because there is a firewall, there is "quite probably" an
[adequate] installation of something, so get the fingerprints and start
looking for default installed apps.

My view, your view, we are both right.

:)

Barry


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here