Date: Mon, 24 Nov 2008 22:37:23 +0100 From: =?ISO-8859-1?Q?Eirik_=D8verby?= <ltning@anduin.net> To: freebsd-security@freebsd.org Cc: Pieter de Boer <pieter@thelostparadise.com> Subject: Re: Dropping syn+fin replies, but not really? Message-ID: <876D0973-A384-4567-8E61-771E96E8A65A@anduin.net> In-Reply-To: <49299876.4020702@thelostparadise.com> References: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net> <49299876.4020702@thelostparadise.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 23, 2008, at 18:52, Pieter de Boer wrote: > Eirik =D8verby wrote: > >> I have a FreeBSD based firewall (pfsense) and, behind it, a few =20 >> dozen FreeBSD servers. Now we're required to run external security =20= >> scans (nessus++) on some of the hosts, and they constantly come =20 >> back with a "high" or "medium" severity problem: The host replies =20 >> to TCP packets with SYN+FIN set. > I'd consider this at most a 'low' severity problem. Agreed. >> Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the =20= >> host in question (recent FreeBSD 7.2-PRERELEASE) have =20 >> net.inet.tcp.drop_synfin=3D1 - I would therefore expect this to be a =20= >> non-issue. > Given security tools' (including Nessus') track records of false > positives, I wouldn't be surprised if this was one of them. They generate a lot of others, too, mostly due to insufficient or =20 downright bogus identification of services. Since when did "pound ssl =20= proxy" equal "aladdin web server"? And since when was it common to run =20= Apache 2.0.23 for Linux on FreeBSD 7.0? Not to mention all the windows-=20= specific vulnerabilities I'm supposedly open to. >> Have I missed something important? Apart from this the hosts and =20 >> services get away without any serious issues, but the security =20 >> audit company insists this so-called hole to be closed. > It's not a hole, but could possibly aid in bypassing filtering rules > (which is quite unlikely in this day and age). It may be wise to =20 > find a > security company that knows how to interpret and verify Nessus output. > > If you want to do verification yourself, you could try the following: > - Run tcpdump on one of the servers and on the firewall > - Run nmap from an external host using the '--scanflags SYNFIN' flag > with destination the server. > > You can let tcpdump only show specific ports and source/destination > addresses. It's probably useful to use nmap to scan both ports you =20 > know > to be open and in use and ports that are filtered. Using the -p option > to nmap, you can specify which ports to scan. > > Perform the nmap scan and look at the tcpdump output to see how your > firewall and/or server react. nmap command: nmap -PN -sT --scanflags SYNFIN -p<port> anduin.net where <port> was either 80 (open) or 8585 (closed). tcpdump command on firewall (which NATs to internal IPs): tcpdump -i <interface> -p -vvv host alge.anart.no and \(port 80 or =20 port 8585\) where <interface> was the publicly facing interface on the firewall. Results for port 80: IP (tos 0x0, ttl 59, id 12785, offset 0, flags [DF], proto: TCP =20 (6), length: 64) alge.anart.no.40283 > 213.225.74.230.http: S, cksum =20 0xa720 (correct), 3300467486:3300467486(0) win 16384 <mss =20 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2747936488 0> IP (tos 0x0, ttl 63, id 10914, offset 0, flags [DF], proto: TCP =20 (6), length: 60) 213.225.74.230.http > alge.anart.no.40283: S, cksum =20 0x8ef5 (correct), 347647336:347647336(0) ack 3300467487 win 65535 <mss =20= 1460,nop,wscale 3,sackOK,timestamp 2946365534 2747936488> IP (tos 0x0, ttl 59, id 33877, offset 0, flags [DF], proto: TCP =20 (6), length: 52) alge.anart.no.40283 > 213.225.74.230.http: ., cksum =20 0x7dbd (correct), 1:1(0) ack 1 win 16384 <nop,nop,timestamp 2747936488 =20= 2946365534> IP (tos 0x0, ttl 59, id 31905, offset 0, flags [DF], proto: TCP =20 (6), length: 40) alge.anart.no.40283 > 213.225.74.230.http: R, cksum =20 0x7180 (correct), 1:1(0) ack 1 win 0 Results for port 8585: IP (tos 0x0, ttl 59, id 44156, offset 0, flags [DF], proto: TCP =20 (6), length: 64) alge.anart.no.1839 > 213.225.74.230.8585: S, cksum =20 0xf765 (correct), 1324215952:1324215952(0) win 16384 <mss =20 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 4070158112 0> IP (tos 0x0, ttl 63, id 34488, offset 0, flags [DF], proto: TCP =20 (6), length: 40) 213.225.74.230.8585 > alge.anart.no.1839: R, cksum =20 0x52ef (correct), 0:0(0) ack 1324215953 win 0 I can't tell what's going on here, except I wouldn't have expected a =20 reply at all to the second one at least, and maybe not even the first. =20= However, I don't have enough experience to tell if nmap is doing the =20 "right thing" here at all. Thanks, /Eirik=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?876D0973-A384-4567-8E61-771E96E8A65A>