From owner-freebsd-questions Sun Sep 12 9:47:34 1999 Delivered-To: freebsd-questions@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3AE9E1542E; Sun, 12 Sep 1999 09:47:26 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id SAA14574; Sun, 12 Sep 1999 18:47:24 +0200 (CEST) (envelope-from des) To: Dag-Erling Smorgrav Cc: nate@mt.sri.com (Nate Williams), Ben Smithurst , "Jeremy L. Ramirez" , dev-null@ns1.digicomsystems.net, freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: How to prevent motd including os info References: <4.2.0.58.19990911151659.00aa8d60@ns1.digicomsystems.net> <19990912012524.B41509@lithium.scientia.demon.co.uk> <199909121534.JAA18584@mt.sri.com> From: Dag-Erling Smorgrav Date: 12 Sep 1999 18:47:23 +0200 In-Reply-To: Dag-Erling Smorgrav's message of "12 Sep 1999 18:06:28 +0200" Message-ID: Lines: 176 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dag-Erling Smorgrav writes: > Nate Williams writes: > > > # ipfw add 1 deny tcp from any to any in tcpflags syn,fin > > Except if you do this the box is unable to provide *ANY* external > > sevices, including email and/or DNS service. :( > Not true. I've had two moderately busy IRC servers (one of them > averages 700 clients, the other twice that) running with this ipfw > rule for two or three months without a hitch. Speaking of which - if you will allow me this tangent - I will never cease to be amazed by how much some people who ought to know better *think* they know about TCP/IP security and attack patterns, and how quick they are to handwave problems pointed out to them (or patches submitted for review) with some vague comments about "yes, in theory it could be a problem, but you'll never see this in real life", until I explain that my analyses and calculations are not based on fancy thought experiments but on hard, real-life, all-in-a-day's-work data. To return to the subject matter, I have patches which (provided you build your kernel with the appropriate options) add a sysctl switch for dropping SYN+FIN packets in tcp_input() instead of having ipfw or ipfilter do it. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no Index: etc/rc.network =================================================================== RCS file: /home/ncvs/src/etc/rc.network,v retrieving revision 1.59 diff -u -r1.59 rc.network --- rc.network 1999/09/01 08:57:01 1.59 +++ rc.network 1999/09/07 17:30:13 @@ -229,6 +229,16 @@ sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null fi + if [ "X$tcp_restrict_rst" = X"YES" ]; then + echo -n ' restrict TCP reset=YES' + sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null + fi + + if [ "X$tcp_drop_synfin" = X"YES" ]; then + echo -n ' drop SYN+FIN packets=YES' + sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null + fi + if [ "${ipxgateway_enable}" = "YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null Index: etc/defaults/rc.conf =================================================================== RCS file: /home/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.32 diff -u -r1.32 rc.conf --- rc.conf 1999/09/06 20:22:40 1.32 +++ rc.conf 1999/09/07 17:30:40 @@ -48,6 +48,9 @@ tcp_extensions="NO" # Set to YES to turn on RFC1323 extensions. log_in_vain="NO" # YES to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). +tcp_restrict_rst="NO" # Set to YES to restrict emission of RST +tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN + # NOTE: this breaks rfc1644 extensions (T/TCP) icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="auto" # List of network interfaces (or "auto"). Index: sys/conf/options =================================================================== RCS file: /home/ncvs/src/sys/conf/options,v retrieving revision 1.152 diff -u -r1.152 options --- options 1999/09/08 22:01:31 1.152 +++ options 1999/09/09 09:16:45 @@ -228,6 +228,8 @@ SLIP_IFF_OPTS opt_slip.h TCP_COMPAT_42 opt_compat.h TCPDEBUG +TCP_RESTRICT_RST opt_tcp_input.h +TCP_DROP_SYNFIN opt_tcp_input.h # ATM (HARP version) ATM_CORE opt_atm.h Index: sys/i386/conf/LINT =================================================================== RCS file: /home/ncvs/src/sys/i386/conf/LINT,v retrieving revision 1.641 diff -u -r1.641 LINT --- LINT 1999/09/08 22:03:46 1.641 +++ LINT 1999/09/09 09:17:00 @@ -469,6 +469,20 @@ options IPSTEALTH #support for stealth forwarding options TCPDEBUG +# The following options add sysctl variables for controlling how certain +# TCP packets are handled. +# +# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets. +# This is useful on systems which are exposed to SYN floods (e.g. IRC servers) +# or any system which one does not want to be easily portscannable. +# +# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This +# prevents nmap et al. from identifying the TCP/IP stack, but breaks support +# for RFC1644 extensions and is not recommended for web servers. +# +options TCP_RESTRICT_RST #restrict emission of TCP RST +options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN + # ICMP_BANDLIM enables icmp error response bandwidth limiting. You # typically want this option as it will help protect the machine from # D.O.S. packet attacks. Index: sys/netinet/tcp_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_input.c,v retrieving revision 1.93 diff -u -r1.93 tcp_input.c --- tcp_input.c 1999/08/30 21:17:06 1.93 +++ tcp_input.c 1999/09/07 17:37:50 @@ -36,6 +36,7 @@ #include "opt_ipfw.h" /* for ipfw_fwd */ #include "opt_tcpdebug.h" +#include "opt_tcp_input.h" #include #include @@ -93,6 +94,18 @@ &tcp_delack_enabled, 0, "Delay ACK to try and piggyback it onto a data packet"); +#ifdef TCP_RESTRICT_RST +static int restrict_rst = 0; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, restrict_rst, CTLFLAG_RW, + &restrict_rst, 0, "Restrict RST emission"); +#endif + +#ifdef TCP_DROP_SYNFIN +static int drop_synfin = 0; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW, + &drop_synfin, 0, "Drop TCP packets with FIN+ACK set"); +#endif + struct inpcbhead tcb; struct inpcbinfo tcbinfo; @@ -340,6 +353,18 @@ } tiflags = ti->ti_flags; +#ifdef TCP_DROP_SYNFIN + /* + * If the drop_synfin option is enabled, drop all packets with + * both the SYN and FIN bits set. This prevents e.g. nmap from + * identifying the TCP/IP stack. + * + * This is incompatible with RFC1644 extensions (T/TCP). + */ + if (drop_synfin && (tiflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN)) + goto drop; +#endif + /* * Convert TCP protocol specific fields to host format. */ @@ -1849,6 +1874,10 @@ return; dropwithreset: +#ifdef TCP_RESTRICT_RST + if (restrict_rst) + goto drop; +#endif /* * Generate a RST, dropping incoming segment. * Make ACK acceptable to originator of segment. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message