Re: Pubstro rash
From: Mark Coleman (markc_at_uniontown.com)
Date: 03/17/05
- Previous message: Bourque Daniel: "RE : Pubstro rash"
- In reply to: David Gillett: "Pubstro rash"
- Next in thread: Steve Drees: "RE: Pubstro rash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Mar 2005 16:50:45 -0500 To: gillettdavid@fhda.edu
Hi David,
>3. Instead of a random high port, the installed FTP server
>listens on port 53. Which I can't block, because DNS may
>need to use it, right?
>
>4. The FTP banners all claim to be the work of "Droppunx".
If these are workstations, not servers, then you should be able to block
TCP 53 INBOUND to them from the world without harming their DNS
resolution, and effectively block the world's access to these FTP
servers running on tcp port 53. Since you say they have a banner, I am
assuming TCP.
DNS typically (from memory) will use UDP for most requests, but will
fall over to TCP for requests over 576 bytes in size, but if these are
workstations then you can allow both TCP/UDP port 53 OUT and still block
TCP port 53 IN and that shouldn't effect DNS for these workstations.
TCP, being stateful, lets you descriminate on direction at layer 4.
Stopping inbound SYNs on port 53 IN will only cause a problem if it's a
DNS server that the world is trying to hit.
-Mark Coleman
- Previous message: Bourque Daniel: "RE : Pubstro rash"
- In reply to: David Gillett: "Pubstro rash"
- Next in thread: Steve Drees: "RE: Pubstro rash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
