Re: Attempt on smtpd / faking remote ip

Am Dienstag 06 April 2004 17:37 schrieben Sie: Hi Ralph, thanks for the hint. [...] I did it like this, but after the first line iptables said: cannot use parameter -o with INPUT (or something like this - I can't remember exactly). So I left out -o lo at the INPUT rule, and also left

Re: Attempt on smtpd / faking remote ip

Hi Ralph, thanks for the hint. At 23:59 Uhr +0200 04.04.2004, Ralph Paßgang wrote: you should also filter out 127.0.0.0/8 on any network interface but lo. so that spoofing with localhost-adresses is not possible anymore. ( for example: iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -o lo -p

Re: Attempt on smtpd / faking remote ip

Am Dienstag 06 April 2004 17:37 schrieben Sie: Hi Ralph, thanks for the hint. [...] I did it like this, but after the first line iptables said: cannot use parameter -o with INPUT (or something like this - I can't remember exactly). So I left out -o lo at the INPUT rule, and also left

Re: Attempt on smtpd / faking remote ip

sorry, I forgot to put in the link after because you are german: :)) so here it is: http://www.heise.de/security/result.xhtml?url=/security/artikel/43066words=Cookie its about syn floods and the syncookies thing :) --Ralph

Attempt on smtpd / faking remote ip

Hi folks, today I got some strange messages in the log files. It's a quite usual woody box (apache, some (about 15) POP accounts, no smtp relaying, no ftp accounts, nothing exciting) with postfix install from .deb-package. ## snip # Apr 4 07:11:15

Re: Attempt on smtpd / faking remote ip

Hi! It looks like your friend is trying to inject pakets into your smtp with faked (spoofed) ips. In this particular case he sends as localhost. I guess he does seqeunce-number guessing, so he assumes there is a running connection and if he hits the sequence, he may do nasty things with your

Re: Attempt on smtpd / faking remote ip

you should also filter out 127.0.0.0/8 on any network interface but lo. so that spoofing with localhost-adresses is not possible anymore. ( for example: iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -o lo -p ALL -j ACCPET iptables -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -o lo -p

Attempt on smtpd / faking remote ip

Hi folks, today I got some strange messages in the log files. It's a quite usual woody box (apache, some (about 15) POP accounts, no smtp relaying, no ftp accounts, nothing exciting) with postfix install from .deb-package. ## snip # Apr 4 07:11:15

Re: Attempt on smtpd / faking remote ip

Hi Andreas, thanks a lot for your hints. At 12:54 Uhr +0200 04.04.2004, Andreas John wrote: It looks like your friend is trying to inject pakets into your smtp with faked (spoofed) ips. In this particular case he sends as localhost. I guess ... more likely that he tries to overflow postfix

Re: Attempt on smtpd / faking remote ip

you should also filter out 127.0.0.0/8 on any network interface but lo. so that spoofing with localhost-adresses is not possible anymore. ( for example: iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -o lo -p ALL -j ACCPET iptables -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -o lo -p