Re: What about closed ports?

[Jeld The Dark Elf <jeld@mindless.com>]

On Thu, Jun 28, 2001 at 09:28:42AM -0300, Pedro Zorzenon Neto wrote:
> Hi folks,
> 
> Suppose I trust ultimately in my 192.168.1.x users.
> To the outside world the only service 'nmap' shows opened is tcp port 22 -> ssh.
> 
> So, if 'ssh' has some security bug, people can use this bug to explore my system. That I know is true.
> 
> Now, what I'd like to know...
> 
> Is there any way of getting some exploit in a CLOSED port? Some kernel, ipchains or other bug that allows someone explore closed ports?
> What about ports that are opened to 192.168.1.x but are REJECTed by ipchains to  the internet. Are they explorable by internet?
> If the port is CLOSED, than it's safe?
> 
Hmmm... Correcting the other guy, if the port is closed, it means that nobody listens 
to connections on this port. If something is listening, but firewall blocks the service,
the port is considered filtered. In any case to answer your question, if all your ports are closed, there is still a way to exploit some bug in either kernel TCP/IP implementation or
firewalling code ( ipchains ). Or someone could exploit some mistake in your firewall configuration. For example if you set your kernel to assemble all packets before forwarding I could try and flood you with TCP fragments hoping that your firewall will run out of buffer space needed to assemble them and will crash. If your ipchains allow fragmented packets to go through without chacking if they belong to any particular connection I can ( supposedly ) try to use fragmented IP flag to do stuff behind your firewall etc. etc. etc.


-- 
"The pure and simple truth is rarely pure, and never simple." Oscar Wilde