List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
> To hide a host is always very stupid, why should you do this? There is no
> advantage. If you "hide" your computer an attacker knows there is an
> stupid guy who doesn't know anything about network security.
You're rather free with calling people "stupid" with little to no
justification. One could as easily turn it around and ask "why should my
server reply at all to connection attempts to ports I am not running any
If I am just running a web server, nobody has any business connecting to any
port besides 80/tcp and 443/tcp. ICMP traffic is fine, but what legitimate
purpose is there in attempting a connection to another tcp port? If I was
running another service at that IP address, it would be advertised through
the appropriate channels. Users would (obviously) not need to run a port
scan to discover it.
Since the person is trying to connect to a port they have no business
connecting to, I don't see why my server should send out a packet in reply.
It's not about hiding the server or some fictitious security gain --
although as someone pointed out replying to potentially spoofed source
addresses could be leveraged into some form of DoS attack. While the
chances of this are probably not high, they are precisely *zero* if you
don't bother to reply in the first place.
The issues of "ident lookups" and "difficult to troubleshoot" are in my
opinion not relevant. If you are relying on the behavior of REJECT vs DROP
to ensure that supported applications behave correctly, you might be better
advised to just figure out what network access is necessary in the first
place and enable that.
As far as RFCs go, the only relevant excerpt I could find was quoted on
http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject and seems
to only cover the side initiating the connection. That is, IF they get a
"REJECT" packet then they should immediately abort the connection and notify
the application. If their connection is just dropped and we never tell
them, so what?
email@example.com mailing list