----- Original Message ----- From: "Drexx Laggui" <[EMAIL PROTECTED]> To: "Philippine Linux Users Group Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, April 27, 2004 7:27 PM Subject: Re: [plug] how to disable telnet on port 25
> 27Apr2004 (UTC -7) > > [EMAIL PROTECTED] wrote: > > On Tue, Apr 27, 2004 at 12:38:26AM -0800, Drexx Laggui wrote: > > > >>You mean disabling telnet connections to your mail server's TCP/25? Not > >>by Sendmail alone. The firewall made by Stonesoft disables TCP/25 > >>connections after a specified time of non-activity --a simple way of > >>guessing that connections to the mail server are made manually, because > >>the required SMTP activity per unit of time, is not there. > > > > This is dangerous. This might prevent receiving mail from sites that > > have a high latency relative to the server that's doing it. > > Non-activity does not always mean an inactive connection, it could also > > mean high latency. > > It's not dangerous per se. It'll be just quite inconvenient for the sys > admin to fix if he/she is not aware of this firewall feature and that > the mail servers are experience very high latency traffic. dido is correct and it is dangerous because you are blocking legitimate high latency traffic... usually you will find this kind of high latency traffic in satellite networks where the latency is high (due to propagation delay plus transmission delay) as well as satellite networks are prone to packet loss (if there is packet loss along the transit.. it will add more delay to its communication) > Reminds me of the false positives generated by firewalls regarding web > proxy servers... as the web proxy server can have a tremendous lot of > SYN-ACKs in its queue with a long wait time, a default-configured > firewall can be mistaken in judging that the web proxy server is under > DoS attack and thus send out alerts and even block traffic to/from it. > But in reality it's just another working day for the web proxy. true if you are still using the traditional tcp's queue connection which will easily fill up the queue which lead to denial of service attack... there is a simple solution to syn-flooding... and that is *tcp syncookies* .. with this the attacker will fill up your bandwidth due to massive tcp syn attack but it will not fill the queue because tcp syncookies is not using any queue at all.... by default, linux and BSDs are enabled by default and no need to worry about syn-flood attack nor to use a firewall to protect against syn-flood attack... > Now, if a firewall allows buffer-overflow attacks against a mail server > and/or web servers, then that's dangerous. depends on the OS and the hardware.. even if your firewall allows buffer-overflow but the OS or the hardware is designed to protect stack-smashing... you are still safe.... microsoft is working on this on their future version of their OS with the help of hardware companies like intel and others... fooler. -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
