Hi Jeffrey, and all other SuSE people, I scanned with nmap -s S .... from the internal interface. So as you say I am scanning from the wrong side, however I would have thought that it would still hide things. My messages file indicates that a lot of packets have been dropped. I had originally thought that it should perhaps be rejecting the packets and not dropping them. So from what you're saying this would explain the strange results. I am not happy that the machine is announcing it's presence, so I would be relieved if the reason it is is bacause it already trusts me to some degree. Presumably if I dial in via my ISP and try it then I may get different results Thanks for your insight Steve -----Original Message----- From: Jeffrey Taylor [mailto:jeff.taylor@ieee.org] Sent: 07 February 2002 15:19 To: suse-linux-e@suse.com Subject: Re: [SLE] SuSE Firewall and Portsentry I think you don't have the firewall up or it is facing the wrong interface. Or you are scanning from the wrong side. My SuSEfirewall-4.3-3 DENYs (drops) connects rather than REJECTs (return RST packet indicating closed port). However, if it is not up then Portsentry should have screamed like mad when scanned. How did you scan the firewall? Jeffrey Quoting Steve Fenwick <SteveF@yeovil-college.ac.uk>:
Hi all,
Just a quick question, misunderstanding.
Our server will have a permanent presence on the internet. I have set up portsentry and when I scan the machine then it is reported as not there. When I activate SuSEfirewall (not the personal firewall the full one) then the scan lists all the ports as closed. (except the ones that I've opened)
Surely it would be better if the host did not appear at all.
Am I doing something wrong or is this the way that it works ??? If it is
the
way it works then how can I hide my host???
Thanks in advance
Steve
This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed, copied, or forwarded to anyone other than the addressee without permission. Unauthorised recipients are requested to preserve this confidentiality and to advise us of the error in transmission, by emailing us at: info@yeovil-college.ac.uk Thank you for your cooperation.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed, copied, or forwarded to anyone other than the addressee without permission. Unauthorised recipients are requested to preserve this confidentiality and to advise us of the error in transmission, by emailing us at: info@yeovil-college.ac.uk Thank you for your cooperation.
On Thu, 7 Feb 2002 15:35:46 -0000 Steve Fenwick <SteveF@yeovil-college.ac.uk> wrote:
So from what you're saying this would explain the strange results. I am not happy that the machine is announcing it's presence, so I would be relieved if the reason it is is bacause it already trusts me to some degree. Presumably if I dial in via my ISP and try it then I may get different results
Hi, I'm just learning about this myself. These are my thoughts. I'm running susefirewall2 with iptables. iptables allows packets to be ACCEPT, QUEUE, DROP, or RETURN. It seems to me the packets are being dropped instead of being returned, but isn't this preferable? to reduce network traffic? Why send the packets back? Just drop them. If dropping them causes the scanner to report a closed port, so what? Maybe you could alter the iptables rules to RETURN instead of DROP? Since you already have ports 80 and 22 open, someone scanning you already knows your server is online, so dropping the packets scanning you is probably more efficient than returning them. You are not going to be hiding from them once 80 and 22 give a response. I'm still too new at iptables to try switching DROP to RETURN, but one of the network experts might know how to do it. -- $|=1;while(1){print pack("h*",'75861647f302d4560275f6272797f3');sleep(1); for(1..16){for(8,32,8,7){print chr($_);}select(undef,undef,undef,.05);}}
Dropped connect requests are reported as filtered by nmap. Rejected connects are reported as closed. Yes dropped packets are preferable. Jeffrey Quoting zentara <zentara@gypsyfarm.com>:
On Thu, 7 Feb 2002 15:35:46 -0000 Steve Fenwick <SteveF@yeovil-college.ac.uk> wrote:
So from what you're saying this would explain the strange results. I am not happy that the machine is announcing it's presence, so I would be relieved if the reason it is is bacause it already trusts me to some degree. Presumably if I dial in via my ISP and try it then I may get different results
Hi, I'm just learning about this myself. These are my thoughts. I'm running susefirewall2 with iptables. iptables allows packets to be ACCEPT, QUEUE, DROP, or RETURN. It seems to me the packets are being dropped instead of being returned, but isn't this preferable? to reduce network traffic? Why send the packets back? Just drop them. If dropping them causes the scanner to report a closed port, so what?
Maybe you could alter the iptables rules to RETURN instead of DROP? Since you already have ports 80 and 22 open, someone scanning you already knows your server is online, so dropping the packets scanning you is probably more efficient than returning them. You are not going to be hiding from them once 80 and 22 give a response.
I'm still too new at iptables to try switching DROP to RETURN, but one of the network experts might know how to do it.
It is possible to protect the firewall machine from the internal network (see FW_PROTECT_FROM_INTERNAL and the section below it in /etc/rc.config.d/firewall.rc.config). However, the internal face will almost certainly not be the same as the external one. Try www.grc.com for a easy test (ignore the scare mongering and Windows specific language). When you are ready for the big time, try www.vulnerabilities.org. This one is scary, like sitting behind homemade armorplate while people fire machine guns at you, throw grenades, etc. If you are using Portsentry, have the report sent to an address on another machine, otherwise the report will be blocked. Jeffrey Quoting Steve Fenwick <SteveF@yeovil-college.ac.uk>:
Hi Jeffrey, and all other SuSE people,
I scanned with nmap -s S .... from the internal interface. So as you say I am scanning from the wrong side, however I would have thought that it would still hide things. My messages file indicates that a lot of packets have been dropped. I had originally thought that it should perhaps be rejecting the packets and not dropping them.
So from what you're saying this would explain the strange results. I am not happy that the machine is announcing it's presence, so I would be relieved if the reason it is is bacause it already trusts me to some degree. Presumably if I dial in via my ISP and try it then I may get different results
Thanks for your insight
Steve
From: Jeffrey Taylor [mailto:jeff.taylor@ieee.org] Sent: 07 February 2002 15:19 To: suse-linux-e@suse.com Subject: Re: [SLE] SuSE Firewall and Portsentry
I think you don't have the firewall up or it is facing the wrong interface. Or you are scanning from the wrong side. My SuSEfirewall-4.3-3 DENYs (drops) connects rather than REJECTs (return RST packet indicating closed port). However, if it is not up then Portsentry should have screamed like mad when scanned.
How did you scan the firewall?
Jeffrey
Quoting Steve Fenwick <SteveF@yeovil-college.ac.uk>:
Hi all,
Just a quick question, misunderstanding.
Our server will have a permanent presence on the internet. I have set up portsentry and when I scan the machine then it is reported as not there. When I activate SuSEfirewall (not the personal firewall the full one) then the scan lists all the ports as closed. (except the ones that I've opened)
Surely it would be better if the host did not appear at all.
Am I doing something wrong or is this the way that it works ??? If it is
the
way it works then how can I hide my host???
Thanks in advance
Steve
This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed, copied, or forwarded to anyone other than the addressee without permission. Unauthorised recipients are requested to preserve this confidentiality and to advise us of the error in transmission, by emailing us at: info@yeovil-college.ac.uk Thank you for your cooperation.
For even more choices, see: http://www.linux-box.org/modules.php?op=modload&name=News&file=article&sid=5... Jeffrey
On Thu, 7 Feb 2002 11:35:48 -0600 Jeffrey Taylor <jeff.taylor@ieee.org> wrote:
For even more choices, see:
http://www.linux-box.org/modules.php?op=modload&name=News&file=article&sid=5...
Thanks for that page Jeff. But it created more questions....... I did the Port Scan at grc.com, and it reported susefirewall2 had every port in stealth mode, except 113 (ident) and 5000 (UPnP), which are closed. Now the faq at grc.com explains why most firewalls automatically close 113, instead of stealthing it. But what about 5000? What is that one about? I see no mention of 5000 in /sbin/SuSEfirewall2 ; I hope this is normal. :-) -- $|=1;while(1){print pack("h*",'75861647f302d4560275f6272797f3');sleep(1); for(1..16){for(8,32,8,7){print chr($_);}select(undef,undef,undef,.05);}}
Port 5000 hopefully is truly closed. IIRC, this is a gaping security hole in Windows. GRC is Windows centric. It may be the only high (> 1023) port that GRC checks. You might seriously consider enabling protection on the high ports: FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" # Common: "ftp-data" (sadly!) FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain time ntp" # Common: "DNS" or "domain ntp" If you are running X Windows, ports 6000 and up a bit are open. Try "netstat -A inet -an" to find out what high ports you have open. Jeffrey Quoting zentara <zentara@gypsyfarm.com>:
On Thu, 7 Feb 2002 11:35:48 -0600 Jeffrey Taylor <jeff.taylor@ieee.org> wrote:
For even more choices, see:
http://www.linux-box.org/modules.php?op=modload&name=News&file=article&sid=5...
Thanks for that page Jeff. But it created more questions....... I did the Port Scan at grc.com, and it reported susefirewall2 had every port in stealth mode, except 113 (ident) and 5000 (UPnP), which are closed.
Now the faq at grc.com explains why most firewalls automatically close 113, instead of stealthing it. But what about 5000? What is that one about?
I see no mention of 5000 in /sbin/SuSEfirewall2 ; I hope this is normal.
:-)
Does anyone know how the color of the SuSE 7.3 boot splash screen can be changed from green to blue? Razvan
Hi Am Freitag 08 Februar 2002 11:56 vormittags schrieb Razvan Oprea:
Does anyone know how the color of the SuSE 7.3 boot splash screen can be changed from green to blue?
this should help: http://sdb.suse.de/en/sdb/html/jkoeke_splashscreen.html -- cu Martin malasa@gmx.de --- http://freshmeat.net/projects/pin/
participants (5)
-
Jeffrey Taylor -
Martin Lasarsch -
Razvan Oprea -
Steve Fenwick -
zentara