Re: Dropping syn+fin replies, but not really?



Eirik Øverby wrote:

I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen FreeBSD servers. Now we're required to run external security scans (nessus++) on some of the hosts, and they constantly come back with a "high" or "medium" severity problem: The host replies to TCP packets with SYN+FIN set.
I'd consider this at most a 'low' severity problem.

Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the host in question (recent FreeBSD 7.2-PRERELEASE) have net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non-issue.
Given security tools' (including Nessus') track records of false
positives, I wouldn't be surprised if this was one of them.

Have I missed something important? Apart from this the hosts and services get away without any serious issues, but the security audit company insists this so-called hole to be closed.
It's not a hole, but could possibly aid in bypassing filtering rules
(which is quite unlikely in this day and age). It may be wise to find a
security company that knows how to interpret and verify Nessus output.

If you want to do verification yourself, you could try the following:
- Run tcpdump on one of the servers and on the firewall
- Run nmap from an external host using the '--scanflags SYNFIN' flag
with destination the server.

You can let tcpdump only show specific ports and source/destination
addresses. It's probably useful to use nmap to scan both ports you know
to be open and in use and ports that are filtered. Using the -p option
to nmap, you can specify which ports to scan.

Perform the nmap scan and look at the tcpdump output to see how your
firewall and/or server react.

G'luck,
Pieter

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Is this as bad as it seems?
    ... numerous security holes. ... Basically, only the typical ports for web, ... shared among the public servers and internal machines. ... router access lists blocking most ports. ...
    (Security-Basics)
  • Re: Blocking/responding to port scans
    ... If someone is scanning my ports, it's pretty certain that they're up ... security that other hosts are more attractive targets than your host. ... Might we be better off running Multics? ...
    (comp.os.linux.security)
  • Re: Dropping syn+fin replies, but not really?
    ... Now we're required to run external security scans on some of the hosts, and they constantly come back with a "high" or "medium" severity problem: The host replies to TCP packets with SYN+FIN set. ... Since when did "pound ssl proxy" equal "aladdin web server"? ... You can let tcpdump only show specific ports and source/destination ...
    (FreeBSD-Security)
  • Re: Abandoned Redhat customer needs advice
    ... Keeping up with security updates is very ... and their ports and packages collection is great too. ... Well, regardless of distro, if you have internet-exposed servers, I would ...
    (linux.redhat)
  • Re: Raptor Firewall 6.5 Config
    ... I used to look after a site that sat behind a Raptor box, ... to do something with those ports, ... won't actually connect to the host unless there is a rule allowing it. ... >This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)