Mailinglist Archive: opensuse-security (556 mails)

< Previous Next >
Re: [suse-security] Block IP in firewall
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Fri, 07 Sep 2001 11:08:30 +0200 (MEST)
  • Message-id: <XFMail.010907110830.bolo@xxxxxxx>
Jo,

On 06-Sep-01 dog@xxxxxxxxx wrote:
> you can use a REJECT instead of DENY for the ipchains rule and your
> machine will not appear to even be online. if you use the deny rule, they
> can still tell what ports you have open, but cannot connect to them.

For the records, ipchains REJECT sends out ICMP type 3 (host/port unreachable)
messages to the client, telling him to stop sending packets because there would
be no service on the port the client is hammering on. DENY silently drops the
packet, telling the client nothing, who may keep on scanning and filling your
logs.

By starting an nmap scan against a target and using tcpdump on another console
you would be able to see these port-unreachable messages in case the host
you're scanning uses some REJECT. This may indicate an active but firewalled
port. Same with DENY; an attacker could measure the timeouts of his scans and
do some "comparison scans" as well, finding that he may have hit a firewalled
port. If there would be no service/firewall in place, the scan would go much
faster.

So, neither DENY nor REJECT are capable of "hiding" any of your ports. Use
return-rst ( http://www.bellamy.co.nz/section5.html ) for that purpose, which
sends a RST packet back to the client, thus cancelling the connection at once.

> On Thu, 6 Sep 2001, maf king wrote:
>
>>
>>On 2001.09.06 17:06:59 +0100 Radu Anghel wrote:
>>> Hi,
>>>
>>> Got an ip witch is scanning during the night (an internet cafe sez
>>> pcnet).
>>> How can I block all the ports for this IP?
>>>
>>>
>>> Many thanks,
>>>
>>> Radu
>>>
>>
>>1. What kernel version are you using?
>> It makes a difference for the command to use.
>>
>>2. Make sure you have ipchains (2.2.x) or iptables (2.4.x) installed
>>
>>issue a command (as root) along the lines of :
>>
>>iptables -I INPUT 1 -s addr.of.bad.ip -j DROP
>>
>>(for 2.4.x)
>>
>>see man iptables for an explanation of this.
>>
>>if you are on a 2.2.x kernel, use
>>
>>ipchains -I INPUT 1 -s bad.ip.add.ress -j DENY
>>
>>NOTE : this doesn't stop them scanning, it just stops you from replying!
[...]

---
Boris Lorenz <bolo@xxxxxxx>
System Security Admin *nix - *nux
---

< Previous Next >
References