Date: Thu, 5 Nov 1998 00:28:52 -0800 From: "Jan B. Koum " <jkb@best.com> To: Poul-Henning Kamp <phk@critter.freebsd.dk>, Nate Williams <nate@mt.sri.com> Cc: Don Lewis <Don.Lewis@tsc.tdk.com>, cvs-committers@FreeBSD.ORG Subject: Re: cvs commit: src/usr.sbin/inetd inetd.c Message-ID: <19981105002852.B18743@best.com> In-Reply-To: <11223.910253625@critter.freebsd.dk>; from Poul-Henning Kamp on Thu, Nov 05, 1998 at 09:13:45AM %2B0100 References: <199811050756.AAA17272@mt.sri.com> <11223.910253625@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 05, 1998 at 09:13:45AM +0100, Poul-Henning Kamp <phk@critter.freebsd.dk> wrote: > > >> Well, it is (barely) measurably faster on the two busy mailservers I run. > > > >That makes no sense given Don't analysis. Getting a reset is *MUCH* > >faster than making a full-fledged TCP connection, sending and receiving > >(bogus) data, and then shutting down the connection. [snip] > >> The other advantage is that it makes: > >> sysctl -w net.inet.tcp.log_in_vain=1 > >> less noisy on same machines. > > > >???? > > Have you tried it on an mail server which doesn't answer port 113 ? > You get a (possibly 3) messages every time somebody tried to connect > to port 113. With this dummy server in place, you don't get the > noise, so you can see actual portscans and stuff like that. I am jumping into this thread and might be missing the point, but... Most portscans these days won't get logged with that sysctl setting. Reason is that they don't always have TH_SYN only - in many case they don't even have that. Here is for example what nmap portscanner can do: -sT tcp connect() port scan -sS tcp SYN stealth port scan (must be root) -sF,-sX, -sN Stealth FIN, Xmas, or Null scan (only works against UNIX). Going from TH_SYN to TH_FLAGS in tcp_input.c will solve that. Maybe I should beautify www.best.com/~jkb/tcp_input.diff.txt and just send-pr it? > > Everybody who's concerned about security should run with > sysctl -w net.inet.tcp.log_in_vain=1 > even if behind a firewall. Taking it a step further: anyone who is REALLY concerned about security should run IDS to make sure their firewall works as it should. :) I'd suggest NFR - it runs on FreeBSD very well. -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981105002852.B18743>