I am running SUSE Linux 8.2 (v2.4 kernel). I am using the machine as a router, firewall (SUSEFirewall2) and http proxy (squid) for my home network.
I have checked using www.grc.com which ports I have open to the outside world and find that all ports up to 1056 are in stealth mode EXCEPT port 113 (IDENT) which is reported as closed. So my machine can be detected on
Have a closer look to /sbin/SuSEfirewall2
[...snip...]
# If port 113 (auth/identd) will not allowed below, outgoing mail would
# be delayed most of the time. Hence we put a hardcoded reject line in.
$IPTABLES -I input_ext 1 -j "$REJECT" -p tcp --dport 113 --syn 2> /dev/null
[...snip...]
# If port 113 (auth/identd) was not allowed above, outgoing mail would
# be delayed most of the time. Hence we put a hardcoded reject line in.
for CHAIN in input_ext input_int; do
$LDA $IPTABLES -A $CHAIN -j LOG ${LOG}"-REJECT " -p tcp --dport
113 --syn
$IPTABLES -A $CHAIN -j "$REJECT" -p tcp --dport 113 --syn 2> /dev/null
done
[...snip...]
That means all traffic to port 113 will be rejected.
Have a look at the commends (see above) before changing anything - not
recommended, unless you know, what you are doing!
Anyway connections to port 113 are blocked so why hide your machine from the
outside world?
A machine is only as save as it's inside security (try
secumod/PERMISSION_SECURITY)!
Invisible will bring you nothing, if the kernel is vulnerable to exploits.
Better update your kernel to the patched one without the iptables-bug!
Try to setup SuSEfirewall2 that way:
# 19.)
FW_ALLOW_PING_FW="no"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
# 20.)
FW_ALLOW_FW_TRACEROUTE="no"
Now tracing and pinging will be impossible.
Another fine result is, that stealth scans an other massportscanns will now
last for ages (1/2 or 1 hour depending on connectiontype)!
This makes your machine not invisible, but scanners don't have fun scanning
your box, beacuse of the long time needed for this scan.
Scandetection/protection from an older mail in the suse security list:
[quote]
I got the following from the Packet Filtering HOWTO, by
Rusty Russell.
You may need to filter the INPUT chain as well, to protect
your own machine(s).
USE AT YOUR OWN RISK!!!
#------------------------------------------------------#
# LOG Syn-flood Denial of Service attempts - 10 per hour
iptables -A FORWARD -p tcp --syn -m limit --limit 10/h \
-j LOG --log-prefix 'Syn-flood attack??? '
# Syn-flood protection
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#------------------------------------------------------#
# LOG Furtive Port Scanner attempts - 10 per hour
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-m limit --limit 10/h -j LOG --log-prefix 'Port Scanner attack??? '
# Port Scanner protection
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-m limit --limit 1/s -j ACCEPT
#------------------------------------------------------#
# LOG Ping of Death Denial of Service attempts - 10 per hour
iptables -A FORWARD -p icmp --icmp-type echo-request \
-m limit --limit 10/h -j LOG --log-prefix 'Ping of Death attack??? '
# Ping of Death protection
iptables -A FORWARD -p icmp --icmp-type echo-request \
-m limit --limit 1/s -j ACCEPT
#------------------------------------------------------#
Regards - Keith Roberts
[/quote]
With best wishes
Philippe
----- Original Message -----
From: "Philip B Cook"
port although it will not respond.
I have seen suggestions that it is possible to ROUTE any incoming traffic on port 113 to a fictitious IP address on my local net, resulting in full stealth.
Does anyone know how this can be done by configuring my SUSEFirewall2.conf file.
I do not have a DMZ setup. The firewall machine is also providing a caching DNS and DHCP services to the local network as well as being the Browse Master for my Windows network using SAMBA.
Any suggestions on how to prevent port 113 being visible.
Also.. is there a way to get new settings from SUSFirewall2.conf to be loaded without having to reboot.
Thanks for your help.
Philip
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here