Re: blocking ports

To: debian-isp@lists.debian.org
Subject: Re: blocking ports
From: David Bishop <tech@bishop.dhs.org>
Date: Fri, 11 Jan 2002 07:50:03 -0700
Message-id: <[🔎] 200201111453.g0BEr6310793@mail-srv1.micron.com>
Reply-to: tech@bishop.dhs.org
In-reply-to: <[🔎] 20020110231451.GE19785@fishbowl.madduck.net>
References: <[🔎] 200201101537.g0AFbv312063@mail-srv1.micron.com> <[🔎] 20020110231451.GE19785@fishbowl.madduck.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 10 January 2002 04:14 pm, martin f krafft wrote:
> also sprach David Bishop <tech@bishop.dhs.org> [2002.01.10.1634 +0100]:
> > I'm running a server that's hot to the net, and running some insecure
> > services (by necessity), like nfs.  Of course, I used iptables to
> > block all those ports, using nmap and netstat to double check all my
> > open ports.  However, what nmap reports back is "filtered" for those
> > ports.  I would prefer if I could somehow make it so that they are
> > "closed" to the outside world, so that random j. hacker doesn't know
> > that I'm running that service at all.  Is there some way to do that,
> > or do I just live with "filtered"?
>
> you can configure iptables to return ICMP type 3 "port unreachable"
> packets, just like the OS would, using the REJECT target. that's what
> you want to do. to get your desired effect.

I'll look into that, thanks.

> however, DENYing has the advantage of *severly* slowing any portscan,
> and because obscurity is not a security measure[1] and REJECT not being
> any safer then DENY, you are really not gaining anything...

I don't care how long it takes them to scan, I'm more concerned about being 
"picked up" by a script kiddie looking for people running nfs, or other 
stuff.  And finally, as opposed to common belief, obscurity *is* a security 
measure.  It's just not a complete, or even decent solution by itself.  As a 
first line of defense, I'll use it :-)

> [1] because i actually believe that one should be able to post the
> entire LAN topology as well as server config and firewall config to the
> net, and *still* be secure,

When I'm not forced to run inherently insecure services on the box (c.f. 
nfs), I would agree.  When I am, however, I'll take what I can get :-)

- -- 
D.A.Bishop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8PvubEHLN/FXAbC0RAolSAKDfPLC/SMxqBInuqyZLj7eznoBsTgCeI7oQ
DX09+GIHhDg4Hf6pbT/fQus=
=sGPZ
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: blocking ports
  - From: martin f krafft <madduck@madduck.net>

References:
- blocking ports
  - From: David Bishop <tech@bishop.dhs.org>
- Re: blocking ports
  - From: martin f krafft <madduck@madduck.net>

Prev by Date: Re: xinetd /etc/host.deny ALL:PARANOID
Next by Date: IAS to Cistron Log Conversion
Previous by thread: Re: blocking ports
Next by thread: Re: blocking ports
Index(es):
- Date
- Thread