Date: Mon, 8 Jul 2002 23:02:03 +0300 From: Peter Pentchev <roam@ringlet.net> To: twig les <twigles@yahoo.com> Cc: Klaus Steden <klaus@compt.com>, "Dalin S. Owen" <dowen@nexusxi.com>, Laurence Brockman <laurence@fluxinc.com>, security@FreeBSD.ORG Subject: Re: hiding OS name Message-ID: <20020708200203.GB363@straylight.oblivion.bg> In-Reply-To: <20020708195244.79411.qmail@web10107.mail.yahoo.com> References: <20020708183726.GA363@straylight.oblivion.bg> <20020708195244.79411.qmail@web10107.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Fba/0zbH8Xs+Fj9o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 08, 2002 at 12:52:44PM -0700, twig les wrote: >=20 >=20 > --- Peter Pentchev <roam@ringlet.net> wrote: > > On Mon, Jul 08, 2002 at 02:13:42PM -0400, Klaus > > Steden wrote: > > > > Portsentry may help > > (/usr/ports/security/portsentry I > > > > believe). Won't hide the OS, but it may shut > > down > > > > scans before they get that far. <shrug>, never > > tested > > > > it that way. > > > >=20 > > > A friend of mine runs portsentry configured to > > blackhole every IP that > > > attempts to connect to a port where no server is > > running (in conjunction with > > > a strict firewall); that can be done in FreeBSD > > without using portsentry, via > > > the blackhole sysctl MIBs. See blackhole(4). > > >=20 > > > It's not a bad means to keep people out of your > > machines. > >=20 > > I know I'm going to regret posting in this thread, > > but so be it :) > >=20 > > Does your friend know that, unlikely as it is made > > by modern ingress and > > egress routing practices, IP spoofing is still not > > quite ruled out? > > Will your friend's portsentry setup happily > > blackhole e.g. his ISP's > > nameserver, or the root nameservers, or > > www.cnn.com's IP addresses, > > simply because somebody found a way to send a TCP > > SYN packet with a > > forged source address to e.g. your friend's > > machine's port 3? :) >=20 > Nah, they have an ignore file of IPs to never block.=20 > rude but simple and effective. <personality class=3D"r_l_stevenson" char=3D"mr-hide"> Uhm... ok... excuse me for a second, I have to start a little loop on several dozens of machines here; a simple loop, yeah, netblocks, that's right; well, I know it will not get too far, but I could probably get in a couple of thousand 'deny' rules into that firewall before they notice, can't I now? And if I start with the right netblocks, I could block half his favorite sites in a couple of minutes.. Oh, a reboot? Bother.. Okay, so I'll kill that in, say, a day, and start over again.. Oh hey, what's that badge that just fell outta yer pocket? Look, man, I gotta scramble, some cousin's probably having a baby right now or something.. :P </personality> What, do you put half the Internet in that ignore file? :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence. --Fba/0zbH8Xs+Fj9o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9Ke+77Ri2jRYZRVMRApD2AKCbeb6iNYYO1A1xuw+KpA8rRIDW0gCgnKcL EAveuVHDrjS8QlRaqMgn6TQ= =rREA -----END PGP SIGNATURE----- --Fba/0zbH8Xs+Fj9o-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020708200203.GB363>