Re: [suse-security] return-rst (was: filtering ports)

27 Sep 2001

      Hi,

On 27-Sep-01 r.maurizzi@gvs.it wrote:
...
Boris Lorenz  wrote:
...
Hope that sheds more light on the issue.
Let's see if I've understood correctly:
If I return-rst all incoming connection on my 22 except ones from a "trusted"
net, but I don't also drop/deny the unwanted IPs, an attacker can simply
ignore
the reset packets and happily connect to the port... right?
Well, no. You can't connect to a port which sends RSTs back to you under normal
circumstances. If you'd construct an "deny-all-except" ipchains rule for the ssh
port, return-rst resets all connections, except yours.

Perhaps my example ipchains line wasn't clear enough.

Let's try this one:

ipchains -A input -p tcp -y -o 128 -j DENY -s ! 1.2.3.4/32 -d <yourhost> 22

("copy 128 bytes of connections with SYN set and ACK and FIN unset to the
netlink device which *don't* (-s !...) come in via "trusted" IP 1.2.3.4 to
the ssh server on your host").

Of course one could use IP spoofing to fiddle with that return-rst'ed port, but
I guess the attacker would want to get some packets back, which does not happen
if he/she spoofs his/her connection. Using toys like hping in a decent script
and spoofing, you may be able to say that there is in fact a service
listening... Did I mention already that return-rst is no wonder cure? ;))
...
Ciao,
  Rob!
Boris Lorenz 
---