From owner-freebsd-security Fri Mar 15 13:37: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.enic.cc (lobo.nic.cc [206.253.214.247]) by hub.freebsd.org (Postfix) with ESMTP id AC3C737B402 for ; Fri, 15 Mar 2002 13:37:01 -0800 (PST) Received: from smokey.lan.enic.cc (tailback [206.253.214.252]) by mail.enic.cc (Postfix) with ESMTP id 2C7756A912; Fri, 15 Mar 2002 13:37:01 -0800 (PST) Subject: Re: Is PortSentry really safe to use? From: Mark Foster To: Jesper Wallin Cc: Baldur Gislason , freebsd-security@freebsd.org In-Reply-To: <02031521302303.03229@germanium> References: <2332.213.112.58.232.1016226432.squirrel@phucking.kicks-ass.org> <02031521302303.03229@germanium> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0.2 Date: 15 Mar 2002 13:37:00 -0800 Message-Id: <1016228221.10601.69.camel@smokey.lan.enic.cc> Mime-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This attack (spoofing) can be circumvented by using ingress filtering on your router or firewall. On Fri, 2002-03-15 at 13:30, Baldur Gislason wrote: > That's right, you cannot rely on portsentry in "stealth scan" mode, since SYN > packets are easily spoofable. > > Baldur > > On Friday 15 March 2002 21:07, you wrote: > > Hey.. > > > > Lets say I want to hide all my services by changing the standard ports on > > all server and run PortSentry.. I used to run my system like that before > > but yesterday a friend of mine was talking about a little security issue.. > > > > Lets say we run a system like that on www.blah.com, what happens if I run a > > traceroute on it and fake a portscan from his default gateway? Sure he can > > add the default gateway to the portsentry.ignore file but then I just take > > the box before that and the one before that and the... and so on.. > > > > Isn't PortSentry more like a problem then a help then? I'm not sure if all > > fo this work but I know it's possible to fake portscans with softwares like > > "rain" and other "custom packets" programs. > > > > > > Jesper Wallin (aka Z3l3zT) > > "it's better to be a lame hacker than a hacked lamer" > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- -mdf [Mark D. Foster] Phone: 206-381-0449 System Administrator - eNIC Corporation Fax: 206-329-7107 or mergatroid on AIM To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message