Adaptive stealthing/unstealthing of port 113

Adaptive stealthing/unstealthing of port 113

[Asfand Yar Qazi]

Hi,

On Steve Gibson's site, I had a few interesting things to read about
the ZoneAlarm firewall:

(quote)
Even after many years, the (free) ZoneAlarm personal firewall from
Zone Labs is the only personal firewall to "adaptively" stealth port
113. Unlike any other firewall or NAT router (any of which could also
do the same) this allows port 113 to be stealthed to any passing
Internet scanners or probes, but "unstealthed" for any valid IDENT
connection attempts originating from remote servers with which the
user's computer is attempting to connect. (Since this could easily be
done by any personal firewall or even NAT routers, I am hopeful that
this feature might yet appear in other products.)

"Adaptive Stealthing" means that when a TCP SYN packet arrives to
request a connection to your machine's port 113, ZoneAlarm checks, on
the fly, to see whether your machine currently has any sort of
"relationship" with the remote machine (such as a pending outgoing
connection attempt). If so, the remote machine is considered to be
"friendly" and its IDENT request packet is allowed to pass through
ZoneAlarm's firewall. But if the IDENT originating machine is not
known to ZoneAlarm as a "friendly" machine, the connection requesting
packet is dropped and discarded, rendering port 113 stealth to all
unknown port scanners. It's very slick.
(end quote)

I wanna do it on my ADSL firewall!

How can I do this?  I realise I could just write a custom module in C,
but you guys probably know of a way to do it with the existing tools.

Thanks

Re: Adaptive stealthing/unstealthing of port 113

[Martijn Lievaart]

Asfand Yar Qazi wrote:

>Hi,
>
>On Steve Gibson's site, I had a few interesting things to read about
>the ZoneAlarm firewall:
>
>(quote)
>Even after many years, the (free) ZoneAlarm personal firewall from
>Zone Labs is the only personal firewall to "adaptively" stealth port
>113. Unlike any other firewall or NAT router (any of which could also
>do the same) this allows port 113 to be stealthed to any passing
>Internet scanners or probes, but "unstealthed" for any valid IDENT
>connection attempts originating from remote servers with which the
>user's computer is attempting to connect. (Since this could easily be
>done by any personal firewall or even NAT routers, I am hopeful that
>this feature might yet appear in other products.)
>
>"Adaptive Stealthing" means that when a TCP SYN packet arrives to
>request a connection to your machine's port 113, ZoneAlarm checks, on
>the fly, to see whether your machine currently has any sort of
>"relationship" with the remote machine (such as a pending outgoing
>connection attempt). If so, the remote machine is considered to be
>"friendly" and its IDENT request packet is allowed to pass through
>ZoneAlarm's firewall. But if the IDENT originating machine is not
>known to ZoneAlarm as a "friendly" machine, the connection requesting
>packet is dropped and discarded, rendering port 113 stealth to all
>unknown port scanners. It's very slick.
>(end quote)
>
>I wanna do it on my ADSL firewall!
>
>How can I do this?  I realise I could just write a custom module in C,
>but you guys probably know of a way to do it with the existing tools.
>
>  
>

I use the recent module for this.

-A FORWARD -i ppp0 -p tcp -m tcp --dport 113 -j AUTHHACK
-A FORWARD -o ppp0 -p tcp -m tcp ! --dport 113 -j TCPOUT
-A AUTHHACK -j ULOG --ulog-prefix "Checking auth/recent : "
-A AUTHHACK -m recent --rcheck --seconds 100 --name tcpout --rsource -j 
RJAUTH
-A RJ -p tcp -j REJECT --reject-with tcp-reset
-A RJ -j REJECT --reject-with icmp-port-unreachable
-A RJAUTH -j ULOG --ulog-prefix "Reject auth: "
-A RJAUTH -j RJ
-A TCPOUT -j ULOG --ulog-prefix "Add to tcpout: "
-A TCPOUT -m recent --set --name tcpout --rdest

Note that many (ftp) servers with multiple ip addresses (common on 
webservers that offer ftp for uploading content) send the ident request 
from a different ip that the ftp session is going out to, so it does not 
work as often as you would like.

(Also note that the RJ chain above is generic, we know in this case it 
is tcp so we could have rejected directly with a tcp-reset).

M4

Re: Adaptive stealthing/unstealthing of port 113

[Chris Brenton]

On Sun, 2006-04-23 at 11:51 +0000, Asfand Yar Qazi wrote:
>
> "Adaptive Stealthing" means that when a TCP SYN packet arrives to
> request a connection to your machine's port 113, ZoneAlarm checks, on
> the fly, to see whether your machine currently has any sort of
> "relationship" with the remote machine

<snip>

> I wanna do it on my ADSL firewall!

IMHO IDENT is pretty much a dead protocol. Kind of dumb to trust the
connecting system to give you an honest answer about the owner of an
application.

I rarely see TCP/113 anymore but in the rare cases where I do, rejecting
with a TCP reset keeps the original connection from getting stalled.

I know this does not really answer your question, just trying to ssave
you some work in an effort that's not really needed.

HTH,
Chris

Re: Adaptive stealthing/unstealthing of port 113

[Robby Workman]

Asfand Yar Qazi wrote:
> 
> I wanna do [Adaptive Stealthing] on my ADSL firewall!
> 
> How can I do this?  I realise I could just write a custom module in C,
> but you guys probably know of a way to do it with the existing tools.


Well, I'm far from an expert on this, and I'm aware of at least
one other individual who's been (casually) working on doing
something along those lines, but here's what I've worked up:

It (relatively) trivial to do this on a box that's directly
connected to the internet with something like this:

> # Put an entry in /proc/net/ipt_recent/IDENT with the destination address of
> # outgoing SYN packets to SMTP (25 & 587) and IRC (6660:6670 & 7000)
> # Adjust port numbers as needed
> iptables -A OUTPUT -o eth0 -p tcp --sport 1024:65535 -m multiport --dports 25,587,6660:6670,7000 \
> --syn -m state --state NEW -m recent --set --rdest --name IDENT -j ACCEPT
> 
> # Check incoming traffic on port 113 to see if the source address matches the 
> # one recorded on outgoing requests, and that it arrives within ten seconds
> # If so, accept it; othewise, hit next rule and progress toward chain POLICY
> iptables -A INPUT -i eth0 -p tcp --dport 113 -m state --state NEW --syn -m recent \
> --rcheck --rsource --seconds 10 --name IDENT -j ACCEPT

That would essentially open port 113 for ten seconds, but only
for the address to which a packet was sent that might require it
to be opened.

To do this on a firewall/gateway, I'm just about convinced that
there's not a (good) way to do it without coding a (or adding to
an existing) helper module.  I know someone on this list has done
some preliminary work on one, but I don't know if he wants it
made public, so I'll let him decide whether to make himself
known.  Anyway, to do this without a helper module, you could use
a combination of the above rules and midentd (or some other
identd daemon that behaves similarly).

With all that said, I do wonder this: why are you so insistent
upon having the illusion of stealth?

RW

-- 

http://rlworkman.net

Re: Adaptive stealthing/unstealthing of port 113

[Carl-Daniel Hailfinger]

Hi,

Asfand Yar Qazi schrieb:
> 
> "Adaptive Stealthing" means that when a TCP SYN packet arrives to
> request a connection to your machine's port 113, ZoneAlarm checks, on
> the fly, to see whether your machine currently has any sort of
> "relationship" with the remote machine (such as a pending outgoing
> connection attempt).
> 
> I wanna do it on my ADSL firewall!

Why? Just don't drop connects to port 113 but reject them with RST
instead. "Adaptive stealthing" is just crap. If your machine is active
on the net, it can be detected (there are exceptions, but they do NOT
apply to ADSL connections and for sophisticated attackers these
exceptions almost always don't apply). If your machine is switched
off, you do not care.
So "adaptive stealthing" gives you two chances in bullshit bingo, but
not anything useful.

Regards,
Carl-Daniel
-- 
http://www.hailfinger.org/