1 |
Oliver Schad wrote: |
2 |
|
3 |
>Am Donnerstag, 8. Januar 2004 13:06 schrieb mir gonzalo: |
4 |
> |
5 |
> |
6 |
>>1/8/04 8:50 AM, Oliver Schad escribio: |
7 |
>> |
8 |
>> |
9 |
>>>Am Mittwoch, 7. Januar 2004 23:05 schrieb mir Mark Hurst: |
10 |
>>> |
11 |
>>> |
12 |
>>>>It's much better to have a firewall than just have ports not open. |
13 |
>>>>Even though a port is not open it can reveal the presence of your |
14 |
>>>>machine by the manner in which the IP stack responds to a connection |
15 |
>>>>attempt. Using a firewall you can drop those packets, making all |
16 |
>>>>your closed ports invisible. |
17 |
>>>> |
18 |
>>>> |
19 |
>>>If you want to invisible, the next router to you have to send an ICMP |
20 |
>>>packet with "host unreachable". If you say nothing anybody with some |
21 |
>>>brain between his ears knows there is a very intelligent guy that |
22 |
>>>want to be invisible. |
23 |
>>> |
24 |
>>> |
25 |
>>AFAIK they appear as "filtered",that's the difference between a closed |
26 |
>>and a filtered port. The first responds with a "negative", the second |
27 |
>>doesn't respond. Am I wrong? |
28 |
>> |
29 |
>> |
30 |
> |
31 |
>That's right. But no answer means there is somebody who doesn't answer. |
32 |
>Only if the last router before the target says "Hey, there is nobody", |
33 |
>then there is nobody (or there is an really intelligent guy, that wants |
34 |
>to hide his host). |
35 |
> |
36 |
>To hide a host is always very stupid, why should you do this? There is no |
37 |
>advantage. If you "hide" your computer an attacker knows there is an |
38 |
>stupid guy who doesn't know anything about network security. |
39 |
> |
40 |
>mfg |
41 |
>Oli |
42 |
> |
43 |
> |
44 |
Well, in this world, not every admin is security guru, nor every cracker is. I agree with arguments stated above, but in my (little) experience I encountered mostly script kiddies. A am sure that experienced cracker can break into my box, because I am not smart enough to secure it at 100% (I know, there is never 100% security, but it can be close). But I guess script kiddie will not see difference between timeout and host unreachable, presuming host is down. Closed port is obvious, that there is box, saying "my port XXX is closed". |
45 |
|
46 |
On the other way, attacker often knows host he attacks, because it runs some services, like web server, so dropping packets on other ports doesn't make sense either. |
47 |
|
48 |
Anyway, I'll revrite my scripts to REJECT targer, thanks all for another piece of stuff I can put between my ears :-) I didn't think about this problem before. |
49 |
|
50 |
Petr Chyba |
51 |
|
52 |
|
53 |
|
54 |
-- |
55 |
gentoo-security@g.o mailing list |