+++ Abhi [linux-india] <07/05/02 17:19 +0900>:
> Au contraire, the cycle is ... use netcraft/queso/nmap/whatever to identify
> the target's OS, services running etc, find out the respective versions,
> search for an exploit for that version...
That's fine. For the determined crackers at least. The fact remains that
J.Random Skriptkiddy generally downloads and runs off-the-shelf rootkits
rather than anything else.
> Why not weed them out to begin with ? If I have ftp service running even on
> a non-advertised server, I will get 5-6 attempts every day for anonymous ftp
Look, I agree with you that having secured services, and not running
unnecessary services, is an absolute necessity. Fine?
What I disagree with is the "munging banners stops a cracker" bit.
The brute force kiddies try each exploit, announced on bugtraq or not. The
real crackers won't be fooled by your munging.
> Yes, it does sometimes (I would disagree with the term "severely" though) .
> And a stateful firewall, or any firewall to boot, will impact performance as
> a trade-off against security as well. It is just an option that depends on
> your own particular needs. What is your point ?
Depends on just how much impact. Modifying ttls to spoof a different OS has
a far higher impact than your average stateful firewalling.
> headers as the only security measure. Security through obscurity is no
> security at all, I agree... but it doesn't means you should go on spewing
> all sorts of helpful info. :)
Said helpful info won't help if you run something secure in the first place.
>
> > > Did you by any chance, *really* read my mail thoroughly and stumble
> across a
> > > technique I referred to, called firewalking ? Search for it on google
I did search for it on google. And firewalking would detect closed appearing
ports that are actually open. Like in a chain of firewalls.
Here's from the sans.org summary on firewalking ...
> Conclusion
>
> Firewalking can be stopped by blocking all outgoing TTL Exceeded in Transit
> packets in the firewall or by using Network Address Translation to hide the
> addresses on your internal networks. If a host on the other side of the
> firewall cannot be targeted then firewalking will not be successful.
Or, from the author's own summary -
> The easiest solution to this problem is to disallow ICMP TTL exceeded
> messages from leaving an internal network. This will also have the effect
> of breaking valid uses of traceroute and may inhibit remote diagnostics of
> an internal network problem. Another defense against firewalking is the use
> of some form of proxy server. Network Address Translation (NAT) or any
> proxy server (both application level and circuit level) can prevent
> Firewalk from probing behind them. While network based intrusion detection
> tools could detect certain attacks [3]; it is possible to develop a version
> of Firewalk that would generate packets that would look like valid packets
> for each service that it is scanning. Currently, Firewalk only fills in the
> packet header and does not insert any data into a packet. A more
> sophisticated version could emulate various services in an attempt to
> masquerade as valid traffic and randomize the order and times that it scans
> services.
Does the NAT bit help? If he's using rfc1918 unroutable addresses, it kind
of stands to reason that he's also using NAT to connect those hosts to the
'net.
--srs
--
Suresh Ramasubramanian <----> mallet <at> efn dot org
EMail Sturmbannfuhrer, Lower Middle Class Unix Sysadmin
[Linux One Stanza Tip] From : <[EMAIL PROTECTED]>
LOST #089 -**< Sub : ext2 to ext3 conversion >**-
Point your browser to the following howto if you are interested
in converting your existing ext2 filesystem to ext3 :
http://www.symonds.net/~rajesh
_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
