Re: blocking ports

To: debian-isp@lists.debian.org
Subject: Re: blocking ports
From: martin f krafft <madduck@madduck.net>
Date: Fri, 11 Jan 2002 22:30:09 +0100
Message-id: <[🔎] 20020111213009.GF27585@fishbowl.madduck.net>
Mail-followup-to: debian-isp@lists.debian.org
In-reply-to: <[🔎] 200201111453.g0BEr6310793@mail-srv1.micron.com>
References: <[🔎] 200201101537.g0AFbv312063@mail-srv1.micron.com> <[🔎] 20020110231451.GE19785@fishbowl.madduck.net> <[🔎] 200201111453.g0BEr6310793@mail-srv1.micron.com>

also sprach David Bishop <tech@bishop.dhs.org> [2002.01.11.1550 +0100]:
> > you can configure iptables to return ICMP type 3 "port unreachable"
> > packets, just like the OS would, using the REJECT target. that's what
> > you want to do. to get your desired effect.
> 
> I'll look into that, thanks.

no, i made a mistake. look into

REJECT --reject-with tcp-reset

> > however, DENYing has the advantage of *severly* slowing any
> > portscan, and because obscurity is not a security measure[1] and
> > REJECT not being any safer then DENY, you are really not gaining
> > anything...
> 
> I don't care how long it takes them to scan, I'm more concerned about
> being "picked up" by a script kiddie looking for people running nfs,
> or other stuff.

then it doesn't matter, REJECT or DENY. REJECT with tcp-reset is cool,
but DENY also just says: there's a firewall, back off! and if you have a
firewall/packet filter, then you should have it configured right, or you
might just delete it.

firewalls are bloody simple! (just like DNS is bloody simple). funny
that everyone still manages to screw it up (just like DNS).

> And finally, as opposed to common belief, obscurity *is* a security
> measure.  It's just not a complete, or even decent solution by itself.
> As a first line of defense, I'll use it :-)

it's not a security measure. period. it's an obscurity measure. they are
two different things. they might overlap, but obscurity is *not*
security. let's not get this into a flaming thread though!

> > [1] because i actually believe that one should be able to post the
> > entire LAN topology as well as server config and firewall config to
> > the net, and *still* be secure,
> 
> When I'm not forced to run inherently insecure services on the box
> (c.f. nfs), I would agree.  When I am, however, I'll take what I can
> get :-)

okay, obscurity can delay. but NFS on the internal net with a proper
firewall is as safe *from the outside* as no NFS. but 70% of attacks
come from the LAN. so if you have to use NFS, you are screwed in some
aspects, simply because obscurity doesn't apply internally.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
http://www.unix-vs-nt.org/kirch/

Attachment: pgpYjty8Zs47o.pgp
Description: PGP signature

Reply to:

References:
- blocking ports
  - From: David Bishop <tech@bishop.dhs.org>
- Re: blocking ports
  - From: martin f krafft <madduck@madduck.net>
- Re: blocking ports
  - From: David Bishop <tech@bishop.dhs.org>

Prev by Date: Re: HP LC2000r trouble (again)
Next by Date: Re: OT: secondary dns
Previous by thread: Re: blocking ports
Next by thread: firewall / router devices (Topic: Network Security)
Index(es):
- Date
- Thread