From owner-freebsd-security Tue Apr 13 8:33: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id E4A74156B7 for ; Tue, 13 Apr 1999 08:33:01 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.7.3) id LAA21022; Tue, 13 Apr 1999 11:30:39 -0400 (envelope-from jared) Date: Tue, 13 Apr 1999 11:30:39 -0400 From: Jared Mauch To: cjclark@home.com Cc: Keith Stevenson , freebsd-security@FreeBSD.ORG Subject: Re: Sequential TCP port allocation? Message-ID: <19990413113039.H17083@puck.nether.net> Mail-Followup-To: cjclark@home.com, Keith Stevenson , freebsd-security@FreeBSD.ORG References: <19990412120126.B15762@homer.louisville.edu> <199904131505.LAA21502@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <199904131505.LAA21502@cc942873-a.ewndsr1.nj.home.com>; from Crist J. Clark on Tue, Apr 13, 1999 at 11:05:03AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The easiest way to determine the ease of tcp sequence guessing is to use nmap (www.insecure.org/nmap/), which will even go as far as telling you what OS the box is running. I would recommend this tool to everyone. On Tue, Apr 13, 1999 at 11:05:03AM -0400, Crist J. Clark wrote: > [I can't help too much with the subject matter, but this might be > better suited to -security. I'm forwarding this there. However, one > comment below.] > > Keith Stevenson wrote, > > We recently had an auditing firm run ISS against our network. The only > > "vulnerability" detected on our production FreeBSD box was a problem with > > "Predictable Sequence Ports". The description states that this FreeBSD box > > allocates its port numbers in sequential order. > > ... > > I think it does matter if it is a 'real' vulnerability, _especially_ > when talking to management. If it is going to cost $$$ to fix the > problem or go with another solution, one must weigh risks against such > a cost. There is no such thing as security-at-all-costs (unless you > work for the NSA or sumthin'). If you truly want to be secure, do not > connect to the Internet, assign each user random passwords (but make > sure they don't write them down on Post-It Notes(tm) on the side of > the monitor), and put all of the machines in an accessed controlled > area with EM screening to keep in the Tempest radiation. Of course, > that's an outlandish example, but one must remember there are always > costs and benefits to be weighed. Yes. Putting machines behind a outgoing only firewall, or only allowing a few things in (smtp, ident, ssh) will greatly reduce the number of attacks possible. Take a close look at everyone that probes your portmapper, and aduit your machines for suid binaries that are not used by you. Are you using lpr/lpd and such? what about uucp? I make it a habit to remove suid bits (and sgid) from most everything possible (i've been kinda slacking recently on that), but it makes it more and more dificult to break into the system once you're on it. It's almost safe to say once you have an account on the system, you can do whatever you want, because there'll be some unknown bug, etc.. that may be hiding away from you, and someone has to be the one to find it ;) Also, remember that physical access == root in 99.99% of the cases. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message