lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 Dec 2006 00:20:06 -0500
From: "Eliah Kagan" <degeneracypressure@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Hail list!

On 12/6/06, aNub15 wrote:
> 2. Looking for a low footprint windows firewall that's only supposed to do
> one thing. If someone hits port 110, block the I.P for a week? (should take
> care of most portscanners (skiddies)). And no I'm not worried about blocking
> real users on the box.

Has it occurred to you that someone could send spoofed SYN packets
with port 110 as the destination, and any IP as the source? Maybe you
should worry about blocking real users after all. If there is an IP
range where you know you have no legitimate users, you should instead
block that IP range. Any IP range where you might have legitimate
users is a range that someone could deny access to easily. Except
actually it would be you denying access to them--a person attacking
you in that way would would likely not even be legally responsible
(but I am not a lawyer).

Also, why would that prevent access by most people scanning your
ports? Suppose someone is scanning your entire subnet, for instance,
but only on port 22. Or someone could scan lots of ports on your box,
and notice that plenty were open until 110 was probed. This person
could then think one of three things:

(1) Hmm, I guess that's all the ports open on that box.
(2) Hmm, lots of ports open, and then I scan port 110, and the rest
are all closed/filtered. (This is specially likely if it is the
person's *second* scan.) There must be something nice and juicy on
that box. I will scan the rest of the ports from another IP and then
penetrate any service I can and find out why such a strange measure of
pseudo-security is in place.
(3) Hmm, I was reading Full Disclosure recently and somebody was
asking about how to blacklist IPs for a week that send traffic to port
110. I bet this is the box of the guy who wanted to know how to do it.
Let's find out why he wanted to do that...

> www.supernoia.com

Script kiddies and anybody else who likes portscanning thank you for
the heads up. If you are going to implement this almost certainly bad
idea--and it is for that server--you may wish to at least make it a
different port.

-Eliah

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists