AW: Iptables Clues and Advices.
From: Michael Kluge (michael.kluge@wundermedia.de)
Date: 04/11/03
- Previous message: Anduine Crow: "Re: Iptables Clues and Advices."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Apr 2003 10:32:59 +0200 From: "Michael Kluge" <michael.kluge@wundermedia.de> To: "Jeff Harris" <jharris@tahongawaka.nu>, <security-basics@securityfocus.com>
Hi!
I think DROP gives indeed some kind of extra security over REJECT.
Most scanners are used on networks not on specific hosts.
These scanners (like nmap) usually try to ping (icmp or TCP) each host
in
a network. Only hosts answering are scanned.
So if you use DROP in many cases your host will not be found and
therefore
be no subject of attack.
At least it will keep off a lot of script-kiddies.
It is true that if you provide any service to the internet,
your host CAN be found by portscanning. But it's not true
that it WILL necessarily be found by portscanning if you use DROP.
If using REJECT it usually will be found! And this is exactly
the difference of these two methods and IMHO the best reason to use
DROP.
A legitimate user won't run into any problems as a legitimate user
will only connect to open ports.
The only port I use REJECT for, is TCP 113 (ident), because many
services
(eg. many ftp servers) try to connect to this port.
Michael.
> -----Ursprüngliche Nachricht-----
> Von: Jeff Harris [mailto:jharris@tahongawaka.nu]
> Gesendet: Mittwoch, 9. April 2003 20:51
> An: security-basics@securityfocus.com
> Betreff: Re: Iptables Clues and Advices.
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> It seems to me that DROP would be used for creating the
> appearance that
> your IP isn't in use. If you are providing no services to the
> internet,
> then every port should DROP.
>
> However, if you have any service, even just a ssh server, someone
> portscanning you will know that you're there, and a REJECT would be
> the correct thing to do.
>
> Jeff.
>
> On Wed, 9 Apr 2003, [iso-8859-1] Julien Royère wrote:
>
> > I do not agree,
> > DROP drops the connection, no more action.
> > REJECT close a connection by GENERATING a packet.
> > In matter of security they do both the same thing,
> > but if someone spoof an IP, you may respond and annoy
> > someone whose IP has been spoofed.
> > Julien
> >
> >
> > ----- Original Message -----
> > From: "Jason Dixon" <jasondixon@myrealbox.com>
> > To: <gillettdavid@fhda.edu>
> > Cc: <security-basics@securityfocus.com>
> > Sent: Tuesday, April 08, 2003 6:19 PM
> > Subject: RE: Iptables Clues and Advices.
> >
> >
> > > For all the folks who illusion that DROP is more secure
> than REJECT, I
> > > submit the following:
> > >
> > > http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject
> > >
> > > -J.
> > >
> > > On Mon, 2003-04-07 at 20:03, David Gillett wrote:
> > > > There is ONE specific case in which I REJECT rather than
> > > > DROP filtered packets:
> > > >
> > > > Sometimes users behind my firewall need to contact an outside
> > > > POP3 email server. Many such boxes react to such connections by
> > > > attempting a connection back to the source on port 113 (identd).
> > > > If I DROP connections to this port, the remote POP3 server
> > > > will wait for its request to timeout -- and then try again and
> > > > timeout again, two more times. By REJECTing the connection, I
> > > > let the server try and fail and try and fail immediately, and so
> > > > my client's download of mail begins much sooner than it would
> > > > if I just DROPped those packets.
> > > >
> > > > David Gillett
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Allan Schon [mailto:allanschon@mckinleymachinery.com]
> > > > > Sent: April 7, 2003 08:53
> > > > > To: security-basics@securityfocus.com
> > > > > Subject: RE: Iptables Clues and Advices.
> > > > >
> > > > >
> > > > > >it will also result into a mess, because the server will be a
> > > > > >hole in space (regarding the blocked ports). And what are
> > > > > the benefits
> > > > > >(if there are any) of this practice?
> > > > >
> > > > > Well, the primary benefit is that attackers scanning for
> > > > > specific open ports in your ip range will never find your
> > > > > machine, if you're dropping connection attempts to the target
> > > > > port. That's a considerable advantage, I think. They can't
> > > > > attack you if they don't know you're there.
> > > > >
> > > > > Are there any specific disadvantages to DROPing?
> > > > >
> > > > > -----Original Message-----
> > > > > From: Andreas Happe [mailto:andreashappe@gmx.net]
> > > > > Sent: Saturday, April 05, 2003 5:29 PM
> > > > > To: security-basics@securityfocus.com
> > > > > Subject: Re: Iptables Clues and Advices.
> > > > >
> > > > >
> > > > > In article <1049484753.24055.41.camel@unsigned.local.fr>,
> > > > > Pierre BETOUIN wrote:
> > > > > > DROP would be better there because you don't need to
> > > > > prevent attackers
> > > > > > that this port is filtered.
> > > > >
> > > > > it will also result into a mess, because the server will be a
> > > > > hole in space (regarding the blocked ports). And what
> are the benefits
> > > > > (if there are any) of this practice?
> > > > >
> > > > > andreas
> > > > > --
> > > > > I tell them to turn to the study of mathematics, for
> it is only there
> > > > > that they might escape the lusts of the flesh.
> > > > > -- Thomas Mann, "The Magic Mountain"
> > > > >
> > > > >
> > > > >
> -------------------------------------------------------------------
> > > > > SurfControl E-mail Filter puts the brakes on spam,
> > > > > viruses and malicious code. Safeguard your business
> > > > > critical communications. Download a free 30-day trial:
> > > > > http://www.securityfocus.com/SurfControl-security-basics
> > > > >
> > > > >
> > > > > <b>
> > > > >
> -------------------------------------------------------------------
> > > > > Is SPAM over-loading your e-mail server, disk space
> or bandwidth?
> > > > > SurfControl E-Mail Filter is flexible, intelligent
> and policy-driven
> > > > > protection.
> > > > > http://www.securityfocus.com/SurfControl-security-basics2
> > > > > Download your free fully functional trial, complete with
> > > > > 30-days of free technical support.
> > > > > Stop SPAM before it stops you.
> > > > >
> -------------------------------------------------------------------
> > > > > </b>
> > > > >
> > > >
> > > > ----
> > > >
> > >
> > > > <b>
> > > >
> -------------------------------------------------------------------
> > > > Is SPAM over-loading your e-mail server, disk space or
> bandwidth?
> > > > SurfControl E-Mail Filter is flexible, intelligent and
> policy-driven
> > > > protection.
> > > > http://www.securityfocus.com/SurfControl-security-basics2
> > > > Download your free fully functional trial, complete
> with 30-days of free
> > technical support.
> > > > Stop SPAM before it stops you.
> > > >
> -------------------------------------------------------------------
> > > > </b>
> > >
> > >
> > >
> > >
> -------------------------------------------------------------------
> > > Is SPAM over-loading your e-mail server, disk space or bandwidth?
> > > SurfControl E-Mail Filter is flexible, intelligent and
> policy-driven
> > > protection.
> > > http://www.securityfocus.com/SurfControl-security-basics2
> > > Download your free fully functional trial, complete with
> 30-days of free
> > technical support.
> > > Stop SPAM before it stops you.
> > >
> -------------------------------------------------------------------
> > >
> > >
> >
> >
> > -------------------------------------------------------------------
> > Is SPAM over-loading your e-mail server, disk space or bandwidth?
> > SurfControl E-Mail Filter is flexible, intelligent and policy-driven
> > protection.
> > http://www.securityfocus.com/SurfControl-security-basics2
> > Download your free fully functional trial, complete with
> 30-days of free technical support.
> > Stop SPAM before it stops you.
> > -------------------------------------------------------------------
> >
>
> - --
> Registered Linux user #304026.
> "lynx -source http://jharris.tahongawaka.nu/jharris.asc | gpg
> --import"
> or "gpg --keyserver pgp.mit.edu --recv-key 0xde0241b9"
> Key fingerprint 4846 0BE4 5C8B 0DC9 3462 B642 7E77 EC33 DE02 41B9
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: Made with pgp4pine 1.76
>
> iD8DBQE+lGumfnfsM94CQbkRAvw8AJ937CPwv9ZYqSjyfCYB6oBtOkboZwCgly2l
> +/cwonLnCiCLUmfxzQld6Pk=
> =2MRG
> -----END PGP SIGNATURE-----
>
>
>
> -------------------------------------------------------------------
> Is SPAM over-loading your e-mail server, disk space or bandwidth?
> SurfControl E-Mail Filter is flexible, intelligent and policy-driven
> protection.
> http://www.securityfocus.com/SurfControl-security-basics2
> Download your free fully functional trial, complete with
> 30-days of free technical support.
> Stop SPAM before it stops you.
> -------------------------------------------------------------------
>
>
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------
- Previous message: Anduine Crow: "Re: Iptables Clues and Advices."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
