Re: How do I change my firewall ports to stealth mode?
Rod.. Whitworth ([EMAIL PROTECTED]) wrote: On Tue, 28 Sep 2004 22:03:55 -0400, Greg Wooledge wrote: Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. What's better about that than making the flags -Hole on the inetd settings for identd? Well, for one, when I started out on OpenBSD 3.0, there wasn't a -H flag http://www.openbsd.org/cgi-bin/man.cgi?query=identdapropos=0sektion=0manpath=OpenBSD+3.0arch=i386format=html I'm not in the habit of re-checking the man pages for every command with every new release (nor am I subscribed to the CVS commit list), so I didn't know this feature had been added. Meanwhile, nullidentd does precisely what I want it to do, so there's very little reason for me to switch. New users who are just starting out, though, may prefer to use the in-tree identd. -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature
Re: How do I change my firewall ports to stealth mode?
Lars Hansson wrote: OpenBSD does this by default in inetd.conf. Correction, it doesnt. --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
Greg Wooledge wrote: Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. It's very simplistic; it just returns a constant string for all ident requests. (It doesn't appear to be in ports; I simply grabbed the source code from packages.debian.org/nullidentd and built it myself.) Any particular reason you didnt just use the -h/-H and -o options with the standard OpenBSD identd? --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
On Tue, 28 Sep 2004 22:03:55 -0400, Greg Wooledge wrote: Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. It's very simplistic; it just returns a constant string for all ident requests. (It doesn't appear to be in ports; I simply grabbed the source code from packages.debian.org/nullidentd and built it myself.) What's better about that than making the flags -Hole on the inetd settings for identd? I haven't been got at in any way using that. Any need for another approach? From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: How do I change my firewall ports to stealth mode?
[EMAIL PROTECTED] wrote: http://www.clock.org/~fair/opinion/identd.html Thanks for giving a link that nicely illustrates my point about people not understanding what ident does: The upshot of these assumptions is that when your system contacts the identd server of a remote system, you can trust the data returned that supposedly identifies a user who is trying to use a network service on your server,... That's exactly what ident is NOT intended to do, it's intended to help the admin of the machine connecting to *YOUR* machine if/when you need to coordinate something with him/her. --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
On Sep 28, 2004, at 2:13 AM, Siju George wrote: I changed the block-policy from return to drop. Now my ports except 113 are showing up as stealthed while twsting from http://www.grc.com/x/ne.dll?rh1dkyd2 The Port 113 was opened because the PF FAQ asked to open it for SMTP Auth/Ident (TCP port 113): used by some services such as SMTP and IRC. ICMP Echo Requests: the ICMP packet type used by ping(8). Now ask yourself- what's the point of dropping packets (woo, I'm in stealth mode, woo...), when a simple 1-1024 portscan will reveal you thanks to port 113 accepting connections (or sending resets, not sure if your identd is actually running)? Why wouldn't you rather just deny all and avoid behaving like a doof? -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: How do I change my firewall ports to stealth mode?
Hi Jason! Thanks for the reply! But if I can get port 113 also in adaptive stealth mode like Zonealarm did then it would be better isn't it? regards Siju
Re: How do I change my firewall ports to stealth mode?
On Tue, Sep 28, 2004 at 04:46:40PM +0530, Siju George wrote: But if I can get port 113 also in adaptive stealth mode like Zonealarm did then it would be better isn't it? Not really. It can give a false sense of security, because you assume the 'adaptive' part can't be tricked by the attacker. See http://marc.theaimsgroup.com/?t=10490548072 for more details. In short, pf doesn't have such a feature, and it's unlikely that it will have. If it's an essential requirement for you, you'll have to look elsewhere. Daniel
Re: How do I change my firewall ports to stealth mode?
on 28/9/04 12:16 pm, Siju George at [EMAIL PROTECTED] wrote: Hi Jason! Thanks for the reply! But if I can get port 113 also in adaptive stealth mode like Zonealarm did then it would be better isn't it? If you're just trying to hide, then no. Personally I send RSTs on blocked ports, partly because I think it's more polite, but also because filtered ports show there's a firewall in the way, whereas RSTs could come from a firewall or a host. As someone said, the only advantage to a drop policy is it slows down portscans, but that's irrelevant if we're talking about just one port. Although Zonealarm's explanation was a bit hazy, it sounds as if it simply drops the packet if there's no state associated with the remote server, which is easy to do with pf (just accept packets with keep state flags S/SAFR and then block anything else on port 113). If Zonealarm's nmot using states, how else can it know if there's an existing relationship with the remote server...? Oliver. -- Oliver Humpage ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444 E-mails received are assumed to be for my attention, to do with as I wish. No responsibility is accepted if communications are sent to me in error. This disclaimer has as much legal status as yours.
Re: How do I change my firewall ports to stealth mode?
Hi Siju, The Port 113 was opened because the PF FAQ asked to open it for SMTP Auth/Ident (TCP port 113): used by some services such as SMTP and IRC. ICMP Echo Requests: the ICMP packet type used by ping(8). I know that this is in the pf faq but I don't think that you really need it. I don't know about IRC but you mentioned only SMTP on your side. I'm running emailservers for years now and never ran an identd. And my clients don't have an identd running either. I don't think that you need this for smtp nowadays. -volker
Re: How do I change my firewall ports to stealth mode?
Siju George wrote: I was using Zone Alarm before on a Windows200 Firewall. All its ports were shown as Stealthed but still SMTP server access was possible! So further digging I got this explanation from the website that conducted the test. Adaptive Stealthing means that when a TCP SYN packet arrives to request a connection to your machine's port 113, ZoneAlarm checks, on the fly, to see whether your machine currently has any sort of relationship with the remote machine (such as a pending outgoing connection attempt). If so, the remote machine is considered to be friendly and its IDENT request packet is allowed to pass through ZoneAlarm's firewall. But if the IDENT originating machine is not known to ZoneAlarm as a friendly machine, the connection requesting packet is dropped and discarded, rendering port 113 stealth to all unknown port scanners. It's very slick. Is there any way to do this in OpenBSD? No, there's no point. People who say identd is a source of severe information leakage does not understand what ident does. If you feel paranoid, as I do, you can always configure it to return random usernames. --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
Thankyou Oliver for the reply and Explanation! It was very informative. I'll also try the S/SAFR thing and see how it works! God bless you warm regards Siju
Re: How do I change my firewall ports to stealth mode?
I know that this is in the pf faq but I don't think that you really need it. I don't know about IRC but you mentioned only SMTP on your side. I'm running emailservers for years now and never ran an identd. And my clients don't have an identd running either. I don't think that you need this for smtp nowadays. -volker I don't think we have IRC. Its almost time to close office. I'll try your suggestion tommorrow and see if it works! If it works fine because I'll have to show other guys who donot have all these technical knowledge that OpenBSD can do what Zone Alarm can do and much better alleast till they also learn the truth. Thanks a lot all you precious folks! Take care God bless you all Siju
Re: How do I change my firewall ports to stealth mode?
People who say identd is a source of severe information leakage does not understand what ident does. If you feel paranoid, as I do, you can always configure it to return random usernames. --- Lars Hansson Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me how to return random usernames? Or coulld you please give me a link where I can learn that? Thanks a lot God bless you. Siju
Re: How do I change my firewall ports to stealth mode?
Siju George writes: Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me how to return random usernames? Or coulld you please give me a link where I can learn that? http://www.clock.org/~fair/opinion/identd.html
Re: How do I change my firewall ports to stealth mode?
Kevin writes: Many IRC servers will drop sessions if they cannot talk to an ident service on the originating end. If you don't want your users to be on IRC; this could be considered as a benefit of blocking TCP/113 ;) Doubtful with IRC servers today. Although I'm not privy to the details of IRC per se, I have set up a number of firewalls in my day and have perused a lot of sockets code, and frankly, I would be surprised if anyone one this forum found they needed ident working for anything, including irc. I seriously doubt this is true any more. While the identd service is not *mandatory* on servers which send outbound SMTP email, many remote SMTP servers will query identd when your machine connects as a SMTP client. Agian, not lately. This I do know something about. I know that Sendmail and Qmail MTAs dropped any notion of needing ident for anything long ago. Exchange and Imap servers certainly don't rely on it. Bottom line, if your server sends SMTP email to arbitrary remote SMTP servers, is is detrimental to stealth ident. Name one mta that needs ident. I'm not saying they don't exist, I'm just curious.
Re: How do I change my firewall ports to stealth mode?
On 28 Sep 2004 10:50:02 -0700, [EMAIL PROTECTED] wrote: You don't need it, nothing now depends on it, Not quite correct. Certain smtp, ftp and irc servers come to mind. -- SB: Wait, you mean the costumes themselves give you super powers? MM: Of course! Why else would we fly around in coloured undies?
Re: How do I change my firewall ports to stealth mode?
On Tuesday, Sep 28, 2004, at 09:47 US/Pacific, [EMAIL PROTECTED] wrote: Kevin writes: Many IRC servers will drop sessions if they cannot talk to an ident service on the originating end. If you don't want your users to be on IRC; this could be considered as a benefit of blocking TCP/113 ;) Doubtful with IRC servers today. Although I'm not privy to the details of IRC per se, I have set up a number of firewalls in my day and have perused a lot of sockets code, and frankly, I would be surprised if anyone one this forum found they needed ident working for anything, including irc. I seriously doubt this is true any more. It is. It's a mitigating mechanism for many types of worms/bots/whatever, since they aren't capable of poking holes in their computer owner's broadband NAT device.
Re: How do I change my firewall ports to stealth mode?
On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote: It is. It's a mitigating mechanism for many types of worms/bots/whatever, since they aren't capable of poking holes in their computer owner's broadband NAT device. That's what UPnP is for, isn't it? SCNR, Daniel
Re: How do I change my firewall ports to stealth mode?
On Tue, 2004-09-28 at 16:23:43 -0700, Trevor Talbot proclaimed... It is. It's a mitigating mechanism for many types of worms/bots/whatever, since they aren't capable of poking holes in their computer owner's broadband NAT device. Yea, sure. I've seen *many* bots with identd running happily joining command and control IRC servers. Those servers are almost always rogue servers that don't care if identd is running. What examples, specifically, are you referring to? I'm actually curious.
Re: How do I change my firewall ports to stealth mode?
On Tuesday, Sep 28, 2004, at 16:34 US/Pacific, Daniel Hartmeier wrote: On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote: It is. It's a mitigating mechanism for many types of worms/bots/whatever, since they aren't capable of poking holes in their computer owner's broadband NAT device. That's what UPnP is for, isn't it? *grin* luckily they don't seem to have caught up with that... On Tuesday, Sep 28, 2004, at 16:39 US/Pacific, [EMAIL PROTECTED] wrote: Yea, sure. I've seen *many* bots with identd running happily joining command and control IRC servers. Those servers are almost always rogue servers that don't care if identd is running. Sure, there are always machines that aren't filtering identd, and of course the control servers won't care. I said it was a mitigating thing, not a prevention thing :) More of an issue are the things that attempt to spread, as those want to be on the big networks where everyone can see them. The average exploited cable/DSL machine also won't have identd enabled. Put two and two together, and it's useful. Another use is requiring shell providers to properly identify their customers for abuse control, lest they lose all connectivity to an IRC network. 'Course, that only works if it's a network their customers care about, and it's a bit away from the original identd/pf scenario under discussion. Anyway, IRC networks do still find ident useful and even require it at times.
Re: How do I change my firewall ports to stealth mode?
Siju George wrote: Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me how to return random usernames? Or coulld you please give me a link where I can learn that? man identd, options -h and -H in particular. OpenBSD does this by default in inetd.conf. --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
Volker Kindermann ([EMAIL PROTECTED]) wrote: I'm running emailservers for years now and never ran an identd. And my clients don't have an identd running either. I don't think that you need this for smtp nowadays. It's never been mandatory for SMTP. Some IRC servers do require it, though. Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. It's very simplistic; it just returns a constant string for all ident requests. (It doesn't appear to be in ports; I simply grabbed the source code from packages.debian.org/nullidentd and built it myself.) -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature