Hi, I have a question and i think the answer is no. Anyway i have a router (no firewall) (suse 6.0) with 2 network-cards. One of them has a official IP Nr.(real IP Nr.)and another card has a inofficial number. Is it possible to access from outside in to inside? and why? many thanks als
On Fri, 9 Jun 2000, als wrote:
Hi,
I have a question and i think the answer is no. Anyway i have a router (no firewall) (suse 6.0) with 2 network-cards. One of them has a official IP Nr.(real IP Nr.)and another card has a inofficial number. Is it possible to access from outside in to inside? and why?
you could uses proxies (like rinetd) or use redirection.. hm, i don't really know if ipchains/ipfadm supports that - ipfilter does. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
yes you can ... You must use IP-route2 package to make NAT. There are many howtos on www.linuxdoc.org Julien Calvet ----- Original Message ----- From: "als" <als@almaplan.com> To: <suse-security@suse.com> Sent: Friday, June 09, 2000 9:49 AM Subject: [suse-security] A Question
Hi,
I have a question and i think the answer is no. Anyway i have a router (no firewall) (suse 6.0) with 2 network-cards. One of them has a official IP Nr.(real IP Nr.)and another card has a inofficial number. Is it possible to access from outside in to inside? and why?
many thanks
als
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On 9 Jun 2000, at 11:28, Julien Calvet wrote:
yes you can ... You must use IP-route2 package to make NAT.
Hi, to me it sounded like Julien wanted to know if *sombody* (not allowed to) can connect to the private lan through his router. And that AFAIK is not possible without getting access to the router. This leads me to a question I wanted to post for quiet a while: I have a PC connected to the internet and my server doing NAT to allow access from my lan to the internet. My lan, like Juliens, uses private addresses 192.168.xxx.xxx. As sayd above, AFAIK it is not possible for someone to access my lan as the private addresses are not routed in the internet. So someone needed to compromise my router, log in (with e.g. telnet) and than has access to my lan. If that happened, all he has to access my lan with, are the programms installed on the router. Is that right? thanks mike
Hi It is certainly true that your workstation is not accessible from the outside easily. However, everytime you open a connection with HTTP, FTP or whatever your gateway opens a port which will open a route to your inner workstation. I'm not an expert in this, but I guess with a little luck, a nasty tool and a unsecure workstation one *could* get on the workstation without cracking the gateway in the first place. Althouth this seems really paranoid you can read in every security paper to better use proxies on your gateway than network address translation. Then you have to crack the gateway befor possibly getting in the inner network. If someone cracked your gateway he has only the tools available on the machine. You can prohib users from using / in commands (so they can't download a tool and use it since they just can't lauch it with ./mytool.sh). There is a kernel patch which can make your system really secure with read only logfiles and alike (the can only be written by the kernel itself), however for maintanance you have to reboot in a less secure kernel since even root can't do anything with this patch. I think for most cases it is enough secure to have no compiler installed, no user accounts, every damn port closed which is not necessary used, bann every clear text protocol (telnet, ftp) and rsync your logfiles from an inner machine every once in a while (and read them ;-) Maybe a real expert can confirm or deny the first paragraph? enjoy the weekend -florian On Fri, 9 Jun 2000 Thomas Michael Wanka yelled into the voidness of cybercpace:
On 9 Jun 2000, at 11:28, Julien Calvet wrote:
yes you can ... You must use IP-route2 package to make NAT.
Hi,
to me it sounded like Julien wanted to know if *sombody* (not allowed to) can connect to the private lan through his router. And that AFAIK is not possible without getting access to the router.
This leads me to a question I wanted to post for quiet a while:
I have a PC connected to the internet and my server doing NAT to allow access from my lan to the internet. My lan, like Juliens, uses private addresses 192.168.xxx.xxx. As sayd above, AFAIK it is not possible for someone to access my lan as the private addresses are not routed in the internet. So someone needed to compromise my router, log in (with e.g. telnet) and than has access to my lan. If that happened, all he has to access my lan with, are the programms installed on the router. Is that right?
thanks
mike
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, actually the routing PC runs NetBSD, there is no telnet, ftp, compilers etc., the system is in a state, where the disk is kind of write protected, only to special files (like logfiles) data can be added, existing data can not be modyfied or erased. The system can only be changed to single user mode by rebooting form the console (or tty) and only in single user mode the write protection is deactivated. The routing PC performs IPfiltering too. This router PC is in one subnet with the server, that runs SuSE 6.3 that performs IPfiltering and NAT, all the workstations are in a second subnet. I think it will be really hard to break into the router, and even when it is done, it should be not possible to get any tools to break inte the server! By using two different systems, a possible intruder had to know both. The thing I am concerned about is the mentioned possibility to follow a route to the workstation, as these are currently Win98 PCs and I do not think it even was possible to get them secure. thanks mike On 9 Jun 2000, at 13:49, Florian Gnägi wrote:
Hi
It is certainly true that your workstation is not accessible from the outside easily. However, everytime you open a connection with HTTP, FTP or whatever your gateway opens a port which will open a route to your inner workstation. I'm not an expert in this, but I guess with a little luck, a nasty tool and a unsecure workstation one *could* get on the workstation without cracking the gateway in the first place.
Althouth this seems really paranoid you can read in every security paper to better use proxies on your gateway than network address translation. Then you have to crack the gateway befor possibly getting in the inner network.
If someone cracked your gateway he has only the tools available on the machine. You can prohib users from using / in commands (so they can't download a tool and use it since they just can't lauch it with ./mytool.sh). There is a kernel patch which can make your system really secure with read only logfiles and alike (the can only be written by the kernel itself), however for maintanance you have to reboot in a less secure kernel since even root can't do anything with this patch.
I think for most cases it is enough secure to have no compiler installed, no user accounts, every damn port closed which is not necessary used, bann every clear text protocol (telnet, ftp) and rsync your logfiles from an inner machine every once in a while (and read them ;-)
Maybe a real expert can confirm or deny the first paragraph?
enjoy the weekend -florian
On Fri, 9 Jun 2000 Thomas Michael Wanka yelled into the voidness of cybercpace:
On 9 Jun 2000, at 11:28, Julien Calvet wrote:
yes you can ... You must use IP-route2 package to make NAT.
Hi,
to me it sounded like Julien wanted to know if *sombody* (not allowed to) can connect to the private lan through his router. And that AFAIK is not possible without getting access to the router.
This leads me to a question I wanted to post for quiet a while:
I have a PC connected to the internet and my server doing NAT to allow access from my lan to the internet. My lan, like Juliens, uses private addresses 192.168.xxx.xxx. As sayd above, AFAIK it is not possible for someone to access my lan as the private addresses are not routed in the internet. So someone needed to compromise my router, log in (with e.g. telnet) and than has access to my lan. If that happened, all he has to access my lan with, are the programms installed on the router. Is that right?
thanks
mike
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Some could spoof your invalid ip (rewrite their packets to have a source address of 192.168.xxx.xxx and gain access or you could allow access using port forwarding to prevent spoofing - use the following rules in your firewall script ----------------------------------------------- for pfile in /proc/sys/net/ipv4/conf/*/rp_filter do echo "1" > $pfile done ----------------------------------------------- to allow port forwarding you need support in the kernel and then rules like the following ----------------------------------------------- # Load Port Forwarding Module /sbin/modprobe ip_masq_portfw # # Setup Port Forwarding Rules ipmasqadm portfw -f # Flush any existing rules # # Forward remote calls to port 81 to local port 80 ipmasqadm portfw -a -P tcp -L 1.2.3.4 80 -R 192.168.xxx.xxx 80 ------------------------------------------------ This will redirect port 80 requests to your firewall/router to port 80 on a local machine. You can do this with multiple ports and multiple machines and it works quite well. On Fri, 09 Jun 2000, Thomas Michael Wanka wrote: > On 9 Jun 2000, at 11:28, Julien Calvet wrote:
yes you can ... You must use IP-route2 package to make NAT.
Hi,
to me it sounded like Julien wanted to know if *sombody* (not allowed to) can connect to the private lan through his router. And that AFAIK is not possible without getting access to the router.
This leads me to a question I wanted to post for quiet a while:
I have a PC connected to the internet and my server doing NAT to allow access from my lan to the internet. My lan, like Juliens, uses private addresses 192.168.xxx.xxx. As sayd above, AFAIK it is not possible for someone to access my lan as the private addresses are not routed in the internet. So someone needed to compromise my router, log in (with e.g. telnet) and than has access to my lan. If that happened, all he has to access my lan with, are the programms installed on the router. Is that right?
thanks
mike
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Chad Whitten cwhitten@intop.net http://whitten.dhs.org
Hi, I have not tested that, but AFAIK as soon as I get a packet with an invalid address (192.168.xxx.xxx) on the external interface from outside, the packet should be dropped or rejected, I will test this. Your suggested filtering is allready done! thanks mike On 9 Jun 2000, at 8:12, Chad Whitten wrote:
Some could spoof your invalid ip (rewrite their packets to have a source address of 192.168.xxx.xxx and gain access or you could allow access using port forwarding to prevent spoofing
On Fri, Jun 09, 2000 at 13:33 +0200, Thomas Michael Wanka wrote:
I have a PC connected to the internet and my server doing NAT to allow access from my lan to the internet. My lan, like Juliens, uses private addresses 192.168.xxx.xxx. As sayd above, AFAIK it is not possible for someone to access my lan as the private addresses are not routed in the internet.
This ^^^^^^^^^^^^^^ is better put as "should not get routed ..." -- it's not a requirement but common practise. Don't count on "RFC1918 won't show up from outside" and "won't find a way" (I'm not speaking of where the packets will end up when many LANs leak ambigiously addressed packets).
So someone needed to compromise my router, log in (with e.g. telnet) and than has access to my lan.
How about someone addressing a packet to your RFC-address and source routing it via your official IP (see the IP options on this)? This will deliver the packet to your router and this machine knows how to get to your workstation or LAN server. And to repeat it: Don't count on source routed packets being dropped just because *you* have always done so. As well as you make mistakes yourself other admins will fail, too, sometimes. And there's always something your neighbour might not even know about and thus doesn't even have a chance of being concerned. :) This is all heading into the same direction: Every aspect turns out to be a configuration problem. Don't imply anything, express all constraints yourself. Set up a packet filter and explicitly state yourself: - "I don't expect to see RFC1918 IPs on the outside so I drop those packets" - "I know that _my_ address is *mine* so nobody else may use it, too" - "loopback addresses never show up on NICs" - "I know that packets from the inside can have internal source addresses only" - "nobody will ever initiate a connection _into_ my net, I always act as the consumer and don't service anyone out there" - etc pp It may sound a little stupid, but security is about being paranoid. :) The good thing about these explicit rules is that you can be sure of some things not to happen. Even if you get this stuff delivered, it won't make it over your router. And whatever you produce inside, it won't get out unless you allow it to. Just express your expectations and make a mechanism enforce this regime ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
* Gerhard Sittig wrote on Fri, Jun 09, 2000 at 15:39 +0200:
On Fri, Jun 09, 2000 at 13:33 +0200, Thomas Michael Wanka wrote:
Juliens, uses private addresses 192.168.xxx.xxx. As sayd above, AFAIK it is not possible for someone to access my lan as the private addresses are not routed in the internet.
This ^^^^^^^^^^^^^^ is better put as "should not get routed ..." -- it's not a requirement but common practise. Don't count on "RFC1918 won't show up from outside" and "won't find a way" [...]
You're right. Once a while we did some "traceroutes" with RFC1918 source addresses with different ISP. Usually the generated ICMP should get dropped, since it's addressed to a RFC1918 IP, but often you make some hops ... I was surprised, since I couldn't imagine how a router should know which way that packet has to be routed... Sometimes it seems that ISP use such addresses in their networks too without filtering well. Traceing _to_ a RFC1918 works until the first router drops that private address, generating a network unreachble or so, but sometimes the first 3 or 4 routers just forward such packets. Yeah, of course, there're a lot of misconfigured routers out there!
Don't count on source routed packets being dropped just because *you* have always done so.
I think it's a good idea to drop source routed packets always. But again this is common practise only, so don't relay on that. At all, I would never trust the ISP in any way; maybe they have a misconfigured router, or an hacked machine or whatever. And you can't know how experienced the engineers are. To put it in a sentence:
Don't imply anything, express all constraints yourself.
- etc pp
Activating the rp_filter seems to be a nice idea too.
It may sound a little stupid, but security is about being paranoid. :)
Yepp, my opinion too! It's alway nice to have multiple security things running. If one fails (or get misconfigured or forgotten or whatever), it wasn't the last one... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On 9 Jun 2000, at 15:39, Gerhard Sittig wrote:
How about someone addressing a packet to your RFC-address and source routing it via your official IP (see the IP options on this)? This will deliver the packet to your router and this machine knows how to get to your workstation or LAN server.
Hi, the routing PC is configured not to forward 192.168.xxx.xxx packets sent from the internet. I know what kind of "experts" work at my ISP! (btw. it seems that here in Austria as well as in the Netherlands CableTV providers have the worst personnel compared to other ISPs, is that true for other countries?) So from what I understood, the only possibility left for an intruder was to "hook" himself to an established connection of one of the workstations to the internet. if so, how could he do this, and what possible actions can I take? thanks mike
* Thomas Michael Wanka wrote on Sat, Jun 10, 2000 at 00:09 +0200:
the routing PC is configured not to forward 192.168.xxx.xxx packets sent from the internet.
I know what kind of "experts" work at my ISP! (btw. it seems that here in Austria as well as in the Netherlands CableTV providers have the worst personnel compared to other ISPs, is that true for other countries?)
Well, I heard of this problem from other sides too...
So from what I understood, the only possibility left for an intruder was to "hook" himself to an established connection of one of the workstations to the internet. if so, how could he do this, and what possible actions can I take?
Well, you mean TCP Connection hijacking? This is one of the possiblities. This works in a way like this: Your WS sends a TCP stream to a server. This stream gets masqueraded and the backway de-masqueraded, which doesn't matter here. On any of the routers in between an attacker could catch the packets, and send responses back. To the original target host a RST packet may be sent, which doesn't matter. Suddenly there's a connection from your internal machine to the intruder. Let's assume it's an FTP data transfer, she could send you the wrong data, maybe a trojan or whatever. Other protocols may be even more dangerous. It's not a simple thing to prevent such hijacking. At least it's neccesary that the other side supports your solution. You may use IPSec or a secure protocol like SSL/TLS or SSH, or validate the data on application level, i.e. PGP/GPG encrypted/signed mails. But for most tasks this wouldn't work, since most servers won't offer such methods. Useing proxies you can protect your network from hijacked connections, since the connection goes only to the proxy, but usually the proxy has no chance to reject (or even detect) such forged data. Useing squid as FTP Proxy helps nothing here, since you still could get a virus or similar. For most protocols there are simply no proxies aviable with some filter options of course (how you would detect illegal IRC messages? and so on), so you have to be careful... At least it's not possible to connect to a trojan inside your network, but the trojan could connect to some bad host. If the trojan is a clever one, it would be possible to insert control data into harmless looking protocols: ping ICMP packets as payload, or HTTP look-a-like connections, or any other. So you cannot talk about "secure". And I don't think that there's something that helps a lot without disabling the services (you could deny all ICMPs, you could deny all HTTP and other traffic, but then you won't need a router...) Just my opionion. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Yep, you need a kernel with port forwarding built into it and some port forwarding rules using ipmasqadm. On Fri, 09 Jun 2000, als wrote:
Hi,
I have a question and i think the answer is no. Anyway i have a router (no firewall) (suse 6.0) with 2 network-cards. One of them has a official IP Nr.(real IP Nr.)and another card has a inofficial number. Is it possible to access from outside in to inside? and why?
many thanks
als
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com -- Chad Whitten cwhitten@intop.net http://whitten.dhs.org
Yes you can access inside IP(not directly), but by first logging into the 2 NIC m/c with real IP. als wrote:
Hi,
I have a question and i think the answer is no. Anyway i have a router (no firewall) (suse 6.0) with 2 network-cards. One of them has a official IP Nr.(real IP Nr.)and another card has a inofficial number. Is it possible to access from outside in to inside? and why?
many thanks
als
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Fri, 9 Jun 2000, S K Senthilvel wrote:
Yes you can access inside IP(not directly), but by first logging into the 2 NIC m/c with real IP.
you could also go one step further and "bypass" loggin in by using a program called redir. it can be found on this page. http://sammy.net/~sammy/hacks/ basically it's a program that listens on a port and just forwards you over to the corresponding port of a machine on your inner network. i've used it before for various things and it works well, but you should make sure that whatever machine your connecting to is just as secure as your routing machine. -Jae ** The mouse said,"can i take the day off?" and the lion responded "No, for you will be my after lunch snack" <crunch> - Anonymous
participants (10)
-
als -
Chad Whitten -
Florian Gnägi -
Gerhard Sittig -
Jae -
Julien Calvet -
S K Senthilvel -
Steffen Dettmer -
Thomas Biege -
Thomas Michael Wanka