lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 8 Dec 2006 00:21:46 -0500
From: "pingywon" <pingywon@...mail.com>
To: "Eliah Kagan" <degeneracypressure@...il.com>,
	<full-disclosure@...ts.grok.org.uk>
Subject: Re: Hail list!

have you written a book?

you write like an author. - I'd read it
----- Original Message ----- 
From: "Eliah Kagan" <degeneracypressure@...il.com>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Thursday, December 07, 2006 12:20 AM
Subject: Re: [Full-disclosure] Hail list!


> On 12/6/06, aNub15 wrote:
>> 2. Looking for a low footprint windows firewall that's only supposed to 
>> do
>> one thing. If someone hits port 110, block the I.P for a week? (should 
>> take
>> care of most portscanners (skiddies)). And no I'm not worried about 
>> blocking
>> real users on the box.
>
> Has it occurred to you that someone could send spoofed SYN packets
> with port 110 as the destination, and any IP as the source? Maybe you
> should worry about blocking real users after all. If there is an IP
> range where you know you have no legitimate users, you should instead
> block that IP range. Any IP range where you might have legitimate
> users is a range that someone could deny access to easily. Except
> actually it would be you denying access to them--a person attacking
> you in that way would would likely not even be legally responsible
> (but I am not a lawyer).
>
> Also, why would that prevent access by most people scanning your
> ports? Suppose someone is scanning your entire subnet, for instance,
> but only on port 22. Or someone could scan lots of ports on your box,
> and notice that plenty were open until 110 was probed. This person
> could then think one of three things:
>
> (1) Hmm, I guess that's all the ports open on that box.
> (2) Hmm, lots of ports open, and then I scan port 110, and the rest
> are all closed/filtered. (This is specially likely if it is the
> person's *second* scan.) There must be something nice and juicy on
> that box. I will scan the rest of the ports from another IP and then
> penetrate any service I can and find out why such a strange measure of
> pseudo-security is in place.
> (3) Hmm, I was reading Full Disclosure recently and somebody was
> asking about how to blacklist IPs for a week that send traffic to port
> 110. I bet this is the box of the guy who wanted to know how to do it.
> Let's find out why he wanted to do that...
>
>> www.supernoia.com
>
> Script kiddies and anybody else who likes portscanning thank you for
> the heads up. If you are going to implement this almost certainly bad
> idea--and it is for that server--you may wish to at least make it a
> different port.
>
> -Eliah
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists