Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)

To: thomas lakofski <thomas@88.net>
Cc: debian-security@lists.debian.org
Subject: Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
From: Tim Haynes <piglet@glutinous.custard.org>
Date: Mon, 29 Jan 2001 13:38:51 +0000
Message-id: <[🔎] 20010129133851.C11099@glutinous.custard.org>
Mail-followup-to: Tim Haynes <piglet@glutinous.custard.org>, thomas lakofski <thomas@88.net>, debian-security@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.4.31.0101291227230.10849-100000@io.88.net>; from thomas@88.net on Mon, Jan 29, 2001 at 12:33:03PM +0000
References: <[🔎] 20010124090847.F30518@zwitterion.humbug.org.au> <[🔎] Pine.LNX.4.31.0101291227230.10849-100000@io.88.net>

On Mon, Jan 29, 2001 at 12:33:03PM +0000, thomas lakofski wrote:
[]

> bah.  all this talk about portsentry being dangerous forgets that you can
> also run it so it only triggers after a full TCP connect.  while not
> un-spoofable, it's very hard for an attacker to spoof as they have to be
> in-line between your host and the host they're trying to spoof.  plus,
> they'll have a task guessing sequence numbers.

Hard? Heard of determination, as well as skr1pt k1dd1es?

> portsentry has been protecting my host without a firewall in front of it for
> three years now; it has always worked exactly as it said it would.

Who says someone's going to go through a full SYN connect, anyway? Sounds like
you need a stateful firewall to be somewhat safer.

I, for one, am decidedly not fond of anything that works by dangling bells on
a wire and hoping someone will trip them, not protecting valid listeners
against either bad content or non-SYN packets, not taking into account that
ports on which there are already listeners are possibly the results of a
default install that hasn't been reconfigured, and then goes ahead and messes
with my firewall rules as well.

And what about UDP packets? It won't take as much effort to spoof one of
those, and you're susceptible to more IP#s than just your own being spoofed:
what if someone impersonates your upstream nameserver, webcache or router and
your portsentry or equivalent trips & blocks it? That's not just damned
annoying, it'd cost me valid business.

I suppose it's horses for courses, anyway. If you like portsentry, go ahead,
see what happens, it might well suit you for a mostly-open scenario. (We do
this question on comp.os.linux.security every so often, btw.)

> all this stuff is in the documentation anyway.  does anyone read
> documentation anymore?  it's more productive than guessing in public.

Docs, what're they? ;8^)

~Tim
-- 
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++ 
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-	     
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/
| All our roads are waiting / To be revealed | piglet@glutinous.custard.org

Reply to:

Follow-Ups:
- Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
  - From: thomas lakofski <thomas@88.net>

References:
- Re: checking security logs
  - From: Mark Suter <suter@zwitterion.humbug.org.au>
- portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
  - From: thomas lakofski <thomas@88.net>

Prev by Date: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
Next by Date: Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
Previous by thread: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
Next by thread: Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
Index(es):
- Date
- Thread