Stealthing Port 113
I am running SUSE Linux 8.2 (v2.4 kernel). I am using the machine as a router, firewall (SUSEFirewall2) and http proxy (squid) for my home network. I have checked using www.grc.com which ports I have open to the outside world and find that all ports up to 1056 are in stealth mode EXCEPT port 113 (IDENT) which is reported as closed. So my machine can be detected on this port although it will not respond. I have seen suggestions that it is possible to ROUTE any incoming traffic on port 113 to a fictitious IP address on my local net, resulting in full stealth. Does anyone know how this can be done by configuring my SUSEFirewall2.conf file. I do not have a DMZ setup. The firewall machine is also providing a caching DNS and DHCP services to the local network as well as being the Browse Master for my Windows network using SAMBA. Any suggestions on how to prevent port 113 being visible. Also.. is there a way to get new settings from SUSFirewall2.conf to be loaded without having to reboot. Thanks for your help. Philip
* Philip B Cook (philipbcook@ntlworld.com) [030814 11:23]:
I have checked using www.grc.com which ports I have open to the outside world and find that all ports up to 1056 are in stealth mode EXCEPT port 113 (IDENT) which is reported as closed. So my machine can be detected on this port although it will not respond.
The SuSEfirewall has a rule that explicitly rejects tcp/113. Otherwise, you'll get delays sending mail.
I have seen suggestions that it is possible to ROUTE any incoming traffic on port 113 to a fictitious IP address on my local net, resulting in full stealth.
That's probably a bad idea but you could allow the connections and reroute them with rinetd.
Any suggestions on how to prevent port 113 being visible.
It's not visible, it's just being denyed. Unless you are actually running an identd daemon of course.
Also.. is there a way to get new settings from SUSFirewall2.conf to be loaded without having to reboot.
$ /usr/sbin/rcSuSEfirewall2 reload -- -ckm
$ /usr/sbin/rcSuSEfirewall2 reload
/sbin/rcSuSEfirewall2 stop && /sbin/rcSuSEfirewall2 start
Or just: SuSEfirewall2 It always starts by clearing out all the stuff anyway.
I had problems with that reload-feature (not all rules where kicked ;-( )!
Ehm, are you sure? Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
Hm, I am running SuSEfirewall2 and SuSe 8.0 Professional on my router here, and the "Reload" Option is not even included. I always have to stop and then start SuSEfirewall2 to apply changes in the Firewall- script. Cheers, Jörg ----- Original Message ----- From: Philippe Vogel <filiaap@freenet.de> To: <suse-security@suse.com> Sent: Thursday, August 14, 2003 8:53 PM Subject: Re: [suse-security] Stealthing Port 113
$ /usr/sbin/rcSuSEfirewall2 reload
/sbin/rcSuSEfirewall2 stop && /sbin/rcSuSEfirewall2 start
This will unload everything and reload all rules. I had problems with that reload-feature (not all rules where kicked ;-( )!
would be nicer!
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Have a closer look to /sbin/SuSEfirewall2 [...snip...] # If port 113 (auth/identd) will not allowed below, outgoing mail would # be delayed most of the time. Hence we put a hardcoded reject line in. $IPTABLES -I input_ext 1 -j "$REJECT" -p tcp --dport 113 --syn 2> /dev/null [...snip...] # If port 113 (auth/identd) was not allowed above, outgoing mail would # be delayed most of the time. Hence we put a hardcoded reject line in. for CHAIN in input_ext input_int; do $LDA $IPTABLES -A $CHAIN -j LOG ${LOG}"-REJECT " -p tcp --dport 113 --syn $IPTABLES -A $CHAIN -j "$REJECT" -p tcp --dport 113 --syn 2> /dev/null done [...snip...] That means all traffic to port 113 will be rejected. Have a look at the commends (see above) before changing anything - not recommended, unless you know, what you are doing! Anyway connections to port 113 are blocked so why hide your machine from the outside world? A machine is only as save as it's inside security (try secumod/PERMISSION_SECURITY)! Invisible will bring you nothing, if the kernel is vulnerable to exploits. Better update your kernel to the patched one without the iptables-bug! Try to setup SuSEfirewall2 that way: # 19.) FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" # 20.) FW_ALLOW_FW_TRACEROUTE="no" Now tracing and pinging will be impossible. Another fine result is, that stealth scans an other massportscanns will now last for ages (1/2 or 1 hour depending on connectiontype)! This makes your machine not invisible, but scanners don't have fun scanning your box, beacuse of the long time needed for this scan. Scandetection/protection from an older mail in the suse security list: [quote] I got the following from the Packet Filtering HOWTO, by Rusty Russell. You may need to filter the INPUT chain as well, to protect your own machine(s). USE AT YOUR OWN RISK!!! #------------------------------------------------------# # LOG Syn-flood Denial of Service attempts - 10 per hour iptables -A FORWARD -p tcp --syn -m limit --limit 10/h \ -j LOG --log-prefix 'Syn-flood attack??? ' # Syn-flood protection iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# # LOG Furtive Port Scanner attempts - 10 per hour iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \ -m limit --limit 10/h -j LOG --log-prefix 'Port Scanner attack??? ' # Port Scanner protection iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \ -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# # LOG Ping of Death Denial of Service attempts - 10 per hour iptables -A FORWARD -p icmp --icmp-type echo-request \ -m limit --limit 10/h -j LOG --log-prefix 'Ping of Death attack??? ' # Ping of Death protection iptables -A FORWARD -p icmp --icmp-type echo-request \ -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# Regards - Keith Roberts [/quote] With best wishes Philippe ----- Original Message ----- From: "Philip B Cook" <philipbcook@ntlworld.com> To: <suse-security@suse.com> Sent: Thursday, August 14, 2003 8:25 PM Subject: [suse-security] Stealthing Port 113
I am running SUSE Linux 8.2 (v2.4 kernel). I am using the machine as a router, firewall (SUSEFirewall2) and http proxy (squid) for my home network.
I have checked using www.grc.com which ports I have open to the outside world and find that all ports up to 1056 are in stealth mode EXCEPT port 113 (IDENT) which is reported as closed. So my machine can be detected on this port although it will not respond.
I have seen suggestions that it is possible to ROUTE any incoming traffic on port 113 to a fictitious IP address on my local net, resulting in full stealth.
Does anyone know how this can be done by configuring my SUSEFirewall2.conf file.
I do not have a DMZ setup. The firewall machine is also providing a caching DNS and DHCP services to the local network as well as being the Browse Master for my Windows network using SAMBA.
Any suggestions on how to prevent port 113 being visible.
Also.. is there a way to get new settings from SUSFirewall2.conf to be loaded without having to reboot.
Thanks for your help.
Philip
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Thu, Aug 14, 2003 at 07:25:33PM +0100, Philip B Cook wrote:
I have checked using www.grc.com which ports I have open to the outside
It is a usefull tool, thanks for that hint.
world and find that all ports up to 1056 are in stealth mode EXCEPT port 113 (IDENT) which is reported as closed. So my machine can be detected on this port although it will not respond.
Just a remark: If you use "reject-with tcp-reset" they will list the port as CLOSED. If you use "reject-with icmp-port-unreachable" it is listed as STEALTH. I use the icmp variant to address the mail delay problem. Therefore I was surprised that all ports were listed as STEALTH. -- Stefan Tichy <listuser@pi4tel.de>
On Thu, Aug 14, 2003 at 07:25:33PM +0100, Philip B Cook wrote:
I have checked using www.grc.com which ports I have open to the outside world and find that all ports up to 1056 are in stealth mode EXCEPT port 113 (IDENT) which is reported as closed. So my machine can be detected on this port although it will not respond.
the only thing you can do to avoid "detection" on the internet is to tell the router _before_ you (i.e. at your ISP) to respond with an "ICMP host unreachable". If i try to connect a machine and there is *no* response, i know there is something, if i get "ICMP host unreachable", i'm sure there is nothing. So go, talk to your ISP if they can arrange this for you. I'm sure they can. There may be some side effects, but it is worth it, believe me. oh, and there is a reason, why port 113 is rejected instead of dropped. Otherwise you (and others) would complain about problems connecting to some ftp or irc servers when using SuSEfirewall. -- Stefan Seyfried Senior Consultant community4you GmbH, Chemnitz, Germany. http://www.community4you.de http://www.open-eis.com
participants (7)
-
Christopher Mahmood -
Philip B Cook -
Philippe Vogel -
remote -
Stefan Andreas Tichy -
Stefan Seyfried -
Volker Kuhlmann