From owner-freebsd-security Mon Jul 8 11:37:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DD7837B400 for ; Mon, 8 Jul 2002 11:37:27 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 293B143E42 for ; Mon, 8 Jul 2002 11:37:26 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 23341 invoked by uid 85); 8 Jul 2002 18:50:15 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 8 Jul 2002 18:50:13 -0000 Received: (qmail 20487 invoked by uid 1000); 8 Jul 2002 18:37:26 -0000 Date: Mon, 8 Jul 2002 21:37:26 +0300 From: Peter Pentchev To: Klaus Steden Cc: twig les , "Dalin S. Owen" , Laurence Brockman , security@FreeBSD.ORG Subject: Re: hiding OS name Message-ID: <20020708183726.GA363@straylight.oblivion.bg> Mail-Followup-To: Klaus Steden , twig les , "Dalin S. Owen" , Laurence Brockman , security@FreeBSD.ORG References: <20020708111122.A33379@nexusxi.com> <20020708175214.31781.qmail@web10104.mail.yahoo.com> <20020708141342.G13139@cthulu.compt.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Content-Disposition: inline In-Reply-To: <20020708141342.G13139@cthulu.compt.com> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 08, 2002 at 02:13:42PM -0400, Klaus Steden wrote: > > Portsentry may help (/usr/ports/security/portsentry I > > believe). Won't hide the OS, but it may shut down > > scans before they get that far. , never tested > > it that way. > >=20 > A friend of mine runs portsentry configured to blackhole every IP that > attempts to connect to a port where no server is running (in conjunction = with > a strict firewall); that can be done in FreeBSD without using portsentry,= via > the blackhole sysctl MIBs. See blackhole(4). >=20 > It's not a bad means to keep people out of your machines. I know I'm going to regret posting in this thread, but so be it :) Does your friend know that, unlikely as it is made by modern ingress and egress routing practices, IP spoofing is still not quite ruled out? Will your friend's portsentry setup happily blackhole e.g. his ISP's nameserver, or the root nameservers, or www.cnn.com's IP addresses, simply because somebody found a way to send a TCP SYN packet with a forged source address to e.g. your friend's machine's port 3? :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Do you think anybody has ever had *precisely this thought* before? --wac7ysb48OaltWcw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9Kdvl7Ri2jRYZRVMRAmFsAKCoi3A52ydXemEawXxp4kRF5TIMlwCcDmPw lhwKLMkbJHtCYQE2hvaqsgs= =KrjA -----END PGP SIGNATURE----- --wac7ysb48OaltWcw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message