Hi, On 27-Sep-01 r.maurizzi@gvs.it wrote:
Boris Lorenz
wrote: Hope that sheds more light on the issue.
Let's see if I've understood correctly:
If I return-rst all incoming connection on my 22 except ones from a "trusted" net, but I don't also drop/deny the unwanted IPs, an attacker can simply ignore the reset packets and happily connect to the port... right?
Well, no. You can't connect to a port which sends RSTs back to you under normal circumstances. If you'd construct an "deny-all-except" ipchains rule for the ssh port, return-rst resets all connections, except yours. Perhaps my example ipchains line wasn't clear enough. Let's try this one: ipchains -A input -p tcp -y -o 128 -j DENY -s ! 1.2.3.4/32 -d <yourhost> 22 ("copy 128 bytes of connections with SYN set and ACK and FIN unset to the netlink device which *don't* (-s !...) come in via "trusted" IP 1.2.3.4 to the ssh server on your host"). Of course one could use IP spoofing to fiddle with that return-rst'ed port, but I guess the attacker would want to get some packets back, which does not happen if he/she spoofs his/her connection. Using toys like hping in a decent script and spoofing, you may be able to say that there is in fact a service listening... Did I mention already that return-rst is no wonder cure? ;))
Ciao, Rob!
Boris Lorenz