Robert:
Heya. In general...an open port on your firewall is
not really a security problem *if* there's no service actually
listening to that port. So, is Dachstein actually running a
service that's listening to UDP port-9?
Secondly, AFAIK, the default firewall rules for
Dachstein (and the rules that come as part of add-on
packages such as Seawall, echowall, etc) are "Default deny"
rules. So, all ports are DENY'd by default, and only the
ones you need to open are setup to ACCEPT. In this spirit,
your rules below to screen for Code Red and this Discard
vulnerability seem superfluous from a security point of view.
Though, I can see their merit from a "reduce the clutter in
my packet logs" point of view.
Thirdly, an address of the form "-d w.x.y.z :80"
will be interpreted by ipchains as "act on a destination
address w.x.y.z on any port *less than or equal to* 80". So,
your Code Red rule there would, if put up near the top of
your ruleset, possibly block other services you intended to
allow (such as SSH, TCP port-22). In other words, be careful
with the ":80" nomenclature; it's confusingly similar (but
very different) to what you may have seen in an http address.
Lastly (phew!), regarding your question of "non random
IP IDs", please don't sweat it. Ninety-nine percent of the
malevolent traffic on the 'net are generated by script kiddies
that are looking for easily/previously compromised machines
(such as WinNT with open shares). Being port-scanned is as
natural a part of being an Internet citizen as being honked
at is as natural to being a driver in NYC. :) Anyone running
a LEAF-based firewall with no port-forwarded services will
quickly be ignored.
Another way to think about it...If someone is actually
attacking your network with something as sophisticated as TCP
sequence prediction based on non-random IP ID's...and the
network you're securing is valuable enough for them to take
an interest in such an attack...and you're asking for help on
this list...then your security needs are under-funded and
under-staffed. A worthwhile rule of thumb: no one will spend
more time&money than it's worth to break into your network.
If someone wanted the data in my PC that badly, it'd be much
more economical for them to just kick in a window and take it.
Cheery thought. :)
-Scott
> Hi,
> I just ran a port scan from www.vulnerabilities.org an came up with
> the following security warnings. I am using stock Dachstien CD rc5
> with the following chains added to the end of ipfiter.conf.
>
> # Router Call
> $IPCH -I input -i eth0 -p 17 -s x.x.17.145 -j DENY
> # Router Call
> $IPCH -I input -i eth0 -p 2 -s x.x.17.145 -j DENY
> # Broadcast meseges
> $IPCH -I input -i eth0 -p 17 -s 0/0 -d 255.255.255.255 -j DENY
> # Code Red
> $IPCH -I input -i eth0 -p 6 -y -s 0/0 -d x.x.17.149 :80 -j DENY
>
>
> Regarding the warning about port 9 shall I insert the following
> ipchins rule at the end of ipfilter.conf?
> $IPCH -I input -i eth0 -p 17 -s 0/0 -d 0/0 :9 -j DENY
>
> What can I do about the non random IP IDs?
>
> Thanks Robert
> ------------------------------------------------
>
> Security Warning found on port general/tcp
>
> The remote host uses non-random IP IDs, that is, it is
> possible to predict the next value of the ip_id field of
> the ip packets sent by this host.
>
> An attacker may use this feature to determine if the remote
> host sent a packet in reply to another request. This may be
> used for portscanning and other things.
>
> Solution : Contact your vendor for a patch
> Risk factor : Low
> -----------------------------------------------
> Vulnerability found on port discard (9/udp)
> It was possible to make
> the remote Ascend router reboot by sending
> it a UDP packet containing special data on
> port 9 (discard).
>
> A cracker may use this flaw to make your
> router crash continuously, preventing
> your network from working properly.
>
> Solution : filter the incoming UDP traffic coming
> to port 9. Contact Ascend for a solution.
>
> Risk factor : High
> <http://cgi.nessus.org/cve.php3?cve=CVE-1999-0060>CVE : CVE-1999-0060
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
