Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: [suse-security] HTTP Strange LOG
  • From: Peter van den Heuvel <peter@xxxxxxxxxxxxxxxx>
  • Date: Thu, 10 Jul 2003 11:50:01 +0200
  • Message-id: <3F0D36C9.8020009@xxxxxxxxxxxxxxxx>
I think a protection can only let pass established connection through
your iptables firewall and drop all ports used by known trojans. The
best is to drop all trojanconnections (INPUT-, FORWARD- and
OUTPUT-CHAIN).

1) "To only let pass an established connection"? Please explain how you imagine connections getting established as at that stage they are NOT yet established and no trafic will pass.
2) Code red is a worm and it's propagation does not relate to it also being a trojan.
3) There is no such thing as "all known ports" used by trojans.
4) If you need security, you drop or reject every thing except what you require.
5) You must do so with regard to direction. And even that is of limited help as the more advanced trojans use various chat services to actively connect to from the inside out.
6) Many worms and trojans use legitimate ports AND the designated protocol along with it. Then they exploit some weekness in the server (or client) software (often buffer overflows) to make the software behave outside it's specification. Code red in fact uses http over port 80. In fact a mighty security suggestion: block port 80 towards your web-server.

Peter


< Previous Next >
Follow Ups