1 |
On Thursday 22 February 2007, Michael Sullivan wrote: |
2 |
|
3 |
> Also, I've always heard that you shouldn't |
4 |
> have any ports open on your machine unless you have some server bound |
5 |
> to that port because hackers can get in through unbound open ports. |
6 |
> Is this true? If so, how does it work? |
7 |
|
8 |
That sounds like something out of Hollywod, perhaps that atrocious movie |
9 |
called Hackers with Angelina Jolie in it..... |
10 |
|
11 |
I fail to see how, in this universe, you can open a port and not have |
12 |
something listen on it. Let's face it: a process, or the kernel itself, |
13 |
asks to be informed about packets arriving for port X. What is port X? |
14 |
It's a number in the TCP/UDP packet so the receiving kernel knows which |
15 |
process to send the data to. If that process is not listening, the |
16 |
packets go ... nowhere. They don't have magic Gandalfs inside them that |
17 |
suddenly sprout up and do l33t h4x0r sh1t to your machine. |
18 |
|
19 |
Maybe there's some default behaviour the kernel applies to packets that |
20 |
are sent to hung/sleeping/absent processes. Maybe that default |
21 |
behaviour is such that there's a buffer overflow waiting to be |
22 |
exploited. Maybe... I think I wanna see the code and not some bullshit |
23 |
posted on an arb blog somewhere. |
24 |
|
25 |
You should be much more worried about vulnerabilities in known software |
26 |
that you don't really use that are running by default. |
27 |
|
28 |
By far the most common attack vector is weak user names and passwords |
29 |
accessed via ssh. Solution is a sensbile password policy, or allow ssh |
30 |
access only via keys. |
31 |
|
32 |
Then there's php, but I don't think you want to get me started on |
33 |
that... |
34 |
|
35 |
alan |
36 |
|
37 |
-- |
38 |
Optimists say the glass is half full, |
39 |
Pessimists say the glass is half empty, |
40 |
Developers say wtf is the glass twice as big as it needs to be? |
41 |
|
42 |
Alan McKinnon |
43 |
alan at linuxholdings dot co dot za |
44 |
+27 82, double three seven, one nine three five |
45 |
-- |
46 |
gentoo-user@g.o mailing list |