hosts.deny

hosts.deny

[Dennis Cardinale]

When running a netfilter firewall, is there any reason to continue using the
hosts.deny and hosts.allow files, or is this just superfluous?

Thanks,

Dennis

Re: hosts.deny

[Antony Stone]

On Sunday 07 July 2002 11:54 pm, Dennis Cardinale wrote:

> When running a netfilter firewall, is there any reason to continue using
> the hosts.deny and hosts.allow files, or is this just superfluous?

hosts.allow can still be useful to specify a command to run when a connection 
comes in (eg to provide some special logging ?), but these files don't add 
any security to a decently configured netfilter setup.

[ IMHO ]

 

Antony.

Re: hosts.deny

[Jack Bowling]

** Reply to message from Antony Stone <Antony@Soft-Solutions.co.uk> on Mon, 08 Jul 2002 00:04:34 +0100


> On Sunday 07 July 2002 11:54 pm, Dennis Cardinale wrote:
> 
> > When running a netfilter firewall, is there any reason to continue using
> > the hosts.deny and hosts.allow files, or is this just superfluous?
> 
> hosts.allow can still be useful to specify a command to run when a connection 
> comes in (eg to provide some special logging ?), but these files don't add 
> any security to a decently configured netfilter setup.

Beg to differ. /etc/hosts.deny allows access tuning of services that are set wide open on the firewall, ssh being a prime example.

jb

-- 
Jack Bowling
mailto: jbinpg@shaw.ca

Re: hosts.deny

[Antony Stone]

On Monday 08 July 2002 12:51 am, Jack Bowling wrote:

> ** Reply to message from Antony Stone <Antony@Soft-Solutions.co.uk> on Mon,
> 08 Jul 2002 00:04:34 +0100
>
> > hosts.allow can still be useful to specify a command to run when a
> > connection comes in (eg to provide some special logging ?), but these
> > files don't add any security to a decently configured netfilter setup.
>
> Beg to differ. /etc/hosts.deny allows access tuning of services that are
> set wide open on the firewall, ssh being a prime example.

The firewall shouldn't be set wide open.   Put whatever restrictions you used 
to apply in hosts.deny into your firewall rules instead, then people can't 
even see you're running an ssh server to try cracking.

 

Antony.

Re: hosts.deny

[Jack Bowling]

** Reply to message from Antony Stone <Antony@Soft-Solutions.co.uk> on Mon, 08 Jul 2002 00:59:16 +0100


> On Monday 08 July 2002 12:51 am, Jack Bowling wrote:
> 
> > ** Reply to message from Antony Stone <Antony@Soft-Solutions.co.uk> on Mon,
> > 08 Jul 2002 00:04:34 +0100
> >
> > > hosts.allow can still be useful to specify a command to run when a
> > > connection comes in (eg to provide some special logging ?), but these
> > > files don't add any security to a decently configured netfilter setup.
> >
> > Beg to differ. /etc/hosts.deny allows access tuning of services that are
> > set wide open on the firewall, ssh being a prime example.
> 
> The firewall shouldn't be set wide open.   Put whatever restrictions you used 
> to apply in hosts.deny into your firewall rules instead, then people can't 
> even see you're running an ssh server to try cracking.

Agreed. But having the same set of restrictions in the hosts.access files means you have a backup in case your firewall goes down unannounced.

jb

-- 
Jack Bowling
mailto: jbinpg@shaw.ca

Re: hosts.deny

[Ian C. Sison]

On Sun, 7 Jul 2002, Jack Bowling wrote:

> ** Reply to message from Antony Stone <Antony@Soft-Solutions.co.uk> on Mon, 08 Jul 2002 00:04:34 +0100
>
>
> > On Sunday 07 July 2002 11:54 pm, Dennis Cardinale wrote:
> >
> > > When running a netfilter firewall, is there any reason to continue using
> > > the hosts.deny and hosts.allow files, or is this just superfluous?
> >
> > hosts.allow can still be useful to specify a command to run when a connection
> > comes in (eg to provide some special logging ?), but these files don't add
> > any security to a decently configured netfilter setup.
>
> Beg to differ. /etc/hosts.deny allows access tuning of services that
> are set wide open on the firewall, ssh being a prime example.

setting up a world-allow connection to the openssh port is the problem.
It's shouldn't be done at all.

One should use the iptables INPUT rules to filter ssh connections per IP,
which is equivalent to the functionality of hosts.[allow|deny]

Not only that, with iptables INPUT, the proper response will be given
(connection refused for iptables, vs. connection accepted... connection
closed for tcp_wrappers)

tcp_wrappers is old technology and should be deprecated.

Re: hosts.deny

[Matthew Hellman]

IMHO, most definitely. Good security is best accomplished in layers. What if
a remote exploit is released for netfilter? Continue to "harden" your box
just like you would if you didn't even have netfilter. Remove uneeded
services, tighter permissions, configure tcp wrappers, etc, etc.

----- Original Message -----
From: "Dennis Cardinale" <dennis@core-enterprises.com>
To: "Netfilter Mailing List" <netfilter@lists.samba.org>
Sent: Sunday, July 07, 2002 5:54 PM
Subject: hosts.deny


> When running a netfilter firewall, is there any reason to continue using
the
> hosts.deny and hosts.allow files, or is this just superfluous?
>
> Thanks,
>
> Dennis
>
>

RE: hosts.deny

[George Vieira]

Use it as a precaution.. if that HOST.DENY runs... then you have an
intrusion which you need to fix..

I do this..

vi /etc/hosts.deny
#---------------------
ALL:            ALL : spawn (/bin/hosts.deny.script %d %a %h) &
#---------------------

Every deny spawns my script, my script determines if it's a true attack and
can take counter measures like email me and then shutdown the firewall
etc.etc..

BUT YOU HAVE TO MAKE SURE IT'S AN INTRUSION!

Other ways is to run snort or portsentry and others.. I'm happy with my
script.. it's activated once only because I forgot to allow my VPN user to
get through... ;) Oops.. Blocked him for a while..

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Dennis Cardinale [mailto:dennis@core-enterprises.com]
Sent: Monday, 08 July 2002 8:54 AM
To: Netfilter Mailing List
Subject: hosts.deny


When running a netfilter firewall, is there any reason to continue using the
hosts.deny and hosts.allow files, or is this just superfluous?

Thanks,

Dennis

Re: hosts.deny

[Martin Tomasek]

[-- Attachment #1: Type: text/plain, Size: 792 bytes --]

> Every deny spawns my script, my script determines if it's a true attack and
> can take counter measures like email me and then shutdown the firewall
> etc.etc..

=> DOS

while true;do send_data_which_will_run_your_script;done;

should run _many_ scripts, if not, it could be parallelized.

> Other ways is to run snort or portsentry and others.. I'm happy with my
> script.. it's activated once only because I forgot to allow my VPN user to
> get through... ;) Oops.. Blocked him for a while..

portsentry, which blocks ips => DOS

for a in `seq 1 1000`;do
send_data_which_will_trigger_postsentry_from_spoofed_ips;done;

where spoofed ips are google.com etc, it may include ips from your
network.

-- 
Martin Tomasek, mtd@email.cz
BOFH excuse #49:
Bogon emissions

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

RE: hosts.deny

[George Vieira]

I thought iptables and linux could block spoofed ips anyway.. this is a last
resort..

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Martin Tomasek [mailto:mtd@mk.cvut.cz]
Sent: Monday, 08 July 2002 9:20 AM
To: netfilter@lists.samba.org
Subject: Re: hosts.deny


> Every deny spawns my script, my script determines if it's a true attack
and
> can take counter measures like email me and then shutdown the firewall
> etc.etc..

=> DOS

while true;do send_data_which_will_run_your_script;done;

should run _many_ scripts, if not, it could be parallelized.

> Other ways is to run snort or portsentry and others.. I'm happy with my
> script.. it's activated once only because I forgot to allow my VPN user to
> get through... ;) Oops.. Blocked him for a while..

portsentry, which blocks ips => DOS

for a in `seq 1 1000`;do
send_data_which_will_trigger_postsentry_from_spoofed_ips;done;

where spoofed ips are google.com etc, it may include ips from your
network.

-- 
Martin Tomasek, mtd@email.cz
BOFH excuse #49:
Bogon emissions

Re: hosts.deny

[Antony Stone]

On Monday 08 July 2002 12:24 am, George Vieira wrote:

> I thought iptables and linux could block spoofed ips anyway.. this is a
> last resort..

How do you block a spoofed IP ?   How do you know it's spoofed ?

 

Antony

RE: hosts.deny

[Ed Street]

Hello,

I've taken the hosts.deny file a bit further and wrote a hosts.trashcan
and a hosts.dnat.

The hosts.trashcan uses the time patch, it will reject any ip/netmask
from start_time to end_time on days.

The hosts.dnat file will setup a dnat rule, it's format is 
Sport	ip	dport	protocol

Ed

Re: hosts.deny

[Antony Stone]

On Monday 08 July 2002 12:33 am, Ed Street wrote:

> Hello,
>
> I've taken the hosts.deny file a bit further and wrote a hosts.trashcan
> and a hosts.dnat.
>
> The hosts.trashcan uses the time patch, it will reject any ip/netmask
> from start_time to end_time on days.
>
> The hosts.dnat file will setup a dnat rule, it's format is
> Sport	ip	dport	protocol

Can you give some more details on how these work please ?

 

Antony.

RE: hosts.deny

[Ed Street]

[-- Attachment #1: Type: text/plain, Size: 1012 bytes --]

Hello,

Sure attached is the hosts.trashcan file I am currenly testing.
Basically it uses the netfilter time patch.  You edit the file to
include the ip/hostmask the start_time, stop_time and days to deny.  The
only down side to this is the date wraping (i.e. deny time going past
midnight) and you have to rerun the script after any change to the
files.

Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
Sent: Sunday, July 07, 2002 7:39 PM
To: netfilter@lists.samba.org
Subject: Re: hosts.deny

On Monday 08 July 2002 12:33 am, Ed Street wrote:

> Hello,
>
> I've taken the hosts.deny file a bit further and wrote a
hosts.trashcan
> and a hosts.dnat.
>
> The hosts.trashcan uses the time patch, it will reject any ip/netmask
> from start_time to end_time on days.
>
> The hosts.dnat file will setup a dnat rule, it's format is
> Sport	ip	dport	protocol

Can you give some more details on how these work please ?

 

Antony.

[-- Attachment #2: hosts.trashcan --]
[-- Type: application/octet-stream, Size: 2358 bytes --]

# ------------------------------------------------------------
#			hosts.trashcan
# this is the trashcan file used for iptables to deny from
#
# ------------------------------------------------------------

#
# you should restart /etc/init.d/rc.firewall.iptables when making *ANY*
# changes to this file!
#
# Currently there is NO need to restart the script on a timed basis.
#
# Timed restarts will be added with ip accounting for daily stats.
#
#
#	start_time and end_time is HH:MM
#	days is Mon,Tue,Wed,Thu,Fri,Sat,Sun
#	if these 3 fields are NA then put an X but do NOT leave it blank!
#
#  **********NOTE**********
#
#	if stoptime is *AFTER* midnight then create 2 rules.
#	rule 1) start_time	23:59
#	rule 2) 00:00		stop_time
#
#	This is a bug in the time patch and is being worked on by the
#	developer in the next release
#
#  **********NOTE**********
#
# example formats
# host/mask	start_time	end_time	days
# www.google.com x x x
# 10.0.0.1/24 x x x

#TEST BLOCK
#192.168.1.200	17:00	23:59   Mon,Tue,Wed,Thu,Fri,Sat,Sun
#192.168.1.200	00:00	08:00	Mon,Tue,Wed,Thu,Fri,Sat,Sun


# ------------------------------------------------------------
#			p0rn spam locations
# ------------------------------------------------------------

#<ip/netmask>    <start_time>    <stop_time>     <days>
217.56.69.170 x x x

#mail1.famk.com x x x
64.38.209.73/24 x x x
youvegotpornmail.com x x x

211.250.155.163/24 x x x
#sexymailers.com/24 x x x
64.119.200.138/24 x x x
210.102.176.5/24 x x x
193.230.98.160/24 x x x
61.141.213.83/24 x x x
21.119.57.33/24 x x x
210.21.102.67 x x x

webport-cl6-cache3.ilford.mdip.bt.net x x x
213.120.56.41 x x x


# ------------------------------------------------------------
#			spam crap
# ------------------------------------------------------------

#<ip/netmask>	<start_time>	<stop_time>	<days>
doubleclick.net/24 x x x
216.255.192.1/24 x x x

#annoying junk from lop
www.lop.com/16 x x x

www.x10.com/24 x x x
www.entercasino.com/24 x x x
media.fastclick.net/24 x x x
www.casino-on-net.com/24 x x x

#korea
210.95.109.130/16 x x x

# ------------------------------------------------------------
#			misc user defined
# ------------------------------------------------------------

#<ip/netmask>    <start_time>    <stop_time>     <days>

Re: hosts.deny

[Antony Stone]

On Monday 08 July 2002 12:48 am, Ed Street wrote:

> Hello,
>
> Sure attached is the hosts.trashcan file I am currenly testing.

Interesting.   How does your script handle resolving machine names to IP 
addresses (as shown in several examples in your trashcan file) when one name 
corresponds to several IPs ?

 

Antony.

RE: hosts.deny

[Ed Street]

Hello,

Dns lookups.  Note some cases the /netmask is somewhat overkill.  I felt
better safe than sorry, incase they have a block of ip's.

Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
Sent: Sunday, July 07, 2002 7:57 PM
To: netfilter@lists.samba.org
Subject: Re: hosts.deny

On Monday 08 July 2002 12:48 am, Ed Street wrote:

> Hello,
>
> Sure attached is the hosts.trashcan file I am currenly testing.

Interesting.   How does your script handle resolving machine names to IP

addresses (as shown in several examples in your trashcan file) when one
name 
corresponds to several IPs ?

 

Antony.

Re: hosts.deny

[Antony Stone]

On Monday 08 July 2002 1:01 am, Ed Street wrote:

> Hello,
>
> Dns lookups.

Well, yes, obviously the way to resolve hostnames to IP addresses is by DNS 
lookups :-)

What I meant was, how does your script cope when you want to block something 
like, say, www.microsoft.com, and the DNS lookup returns 6 different IP 
addresses, from two different class C ranges (which is what I just got by 
doing a dig on the name) ?

> Note some cases the /netmask is somewhat overkill.  I felt
> better safe than sorry, incase they have a block of ip's.

I'd have thought it unlikely that a hostname would resolve to multiple 
contiguous IPs.   If a company has enough load that they're running multiple 
servers, they're probably doing it on multiple feeds as well, which will have 
widely differing IP addresses.....

 

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
> Sent: Sunday, July 07, 2002 7:57 PM
> To: netfilter@lists.samba.org
> Subject: Re: hosts.deny
>
> On Monday 08 July 2002 12:48 am, Ed Street wrote:
> > Hello,
> >
> > Sure attached is the hosts.trashcan file I am currenly testing.
>
> Interesting.   How does your script handle resolving machine names to IP
>
> addresses (as shown in several examples in your trashcan file) when one
> name
> corresponds to several IPs ?
>
>
>
> Antony.

RE: hosts.deny

[Ed Street]

Hello,

Well a few short lines of code would do that with no problem.

Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
Sent: Sunday, July 07, 2002 8:12 PM
To: netfilter@lists.samba.org
Subject: Re: hosts.deny

On Monday 08 July 2002 1:01 am, Ed Street wrote:

> Hello,
>
> Dns lookups.

Well, yes, obviously the way to resolve hostnames to IP addresses is by
DNS 
lookups :-)

What I meant was, how does your script cope when you want to block
something 
like, say, www.microsoft.com, and the DNS lookup returns 6 different IP 
addresses, from two different class C ranges (which is what I just got
by 
doing a dig on the name) ?

> Note some cases the /netmask is somewhat overkill.  I felt
> better safe than sorry, incase they have a block of ip's.

I'd have thought it unlikely that a hostname would resolve to multiple 
contiguous IPs.   If a company has enough load that they're running
multiple 
servers, they're probably doing it on multiple feeds as well, which will
have 
widely differing IP addresses.....

 

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
> Sent: Sunday, July 07, 2002 7:57 PM
> To: netfilter@lists.samba.org
> Subject: Re: hosts.deny
>
> On Monday 08 July 2002 12:48 am, Ed Street wrote:
> > Hello,
> >
> > Sure attached is the hosts.trashcan file I am currenly testing.
>
> Interesting.   How does your script handle resolving machine names to
IP
>
> addresses (as shown in several examples in your trashcan file) when
one
> name
> corresponds to several IPs ?
>
>
>
> Antony.

Re: hosts.deny

[Antony Stone]

On Monday 08 July 2002 3:27 am, Ed Street wrote:

> Hello,
>
> Well a few short lines of code would do that with no problem.

Sounds good.   Could you post the code to the list so that people can see how 
it can be done ?   It might be useful for a few different applications...

Thanks,

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
> Sent: Sunday, July 07, 2002 8:12 PM
> To: netfilter@lists.samba.org
> Subject: Re: hosts.deny
>
> On Monday 08 July 2002 1:01 am, Ed Street wrote:
> > Hello,
> >
> > Dns lookups.
>
> Well, yes, obviously the way to resolve hostnames to IP addresses is by
> DNS
> lookups :-)
>
> What I meant was, how does your script cope when you want to block
> something
> like, say, www.microsoft.com, and the DNS lookup returns 6 different IP
> addresses, from two different class C ranges (which is what I just got
> by
> doing a dig on the name) ?
>
> > Note some cases the /netmask is somewhat overkill.  I felt
> > better safe than sorry, incase they have a block of ip's.
>
> I'd have thought it unlikely that a hostname would resolve to multiple
> contiguous IPs.   If a company has enough load that they're running
> multiple
> servers, they're probably doing it on multiple feeds as well, which will
> have
> widely differing IP addresses.....
>
>
>
> Antony.
>
> > -----Original Message-----
> > From: netfilter-admin@lists.samba.org
> > [mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
> > Sent: Sunday, July 07, 2002 7:57 PM
> > To: netfilter@lists.samba.org
> > Subject: Re: hosts.deny
> >
> > On Monday 08 July 2002 12:48 am, Ed Street wrote:
> > > Hello,
> > >
> > > Sure attached is the hosts.trashcan file I am currenly testing.
> >
> > Interesting.   How does your script handle resolving machine names to
>
> IP
>
> > addresses (as shown in several examples in your trashcan file) when
>
> one
>
> > name
> > corresponds to several IPs ?
> >
> >
> >
> > Antony.

RE: hosts.deny

[Ed Street]

Hello,

Sure will.  Should have some free time this week to work on it.

Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
Sent: Sunday, July 07, 2002 10:34 PM
To: netfilter@lists.samba.org
Subject: Re: hosts.deny

On Monday 08 July 2002 3:27 am, Ed Street wrote:

> Hello,
>
> Well a few short lines of code would do that with no problem.

Sounds good.   Could you post the code to the list so that people can
see how 
it can be done ?   It might be useful for a few different
applications...

Thanks,

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
> Sent: Sunday, July 07, 2002 8:12 PM
> To: netfilter@lists.samba.org
> Subject: Re: hosts.deny
>
> On Monday 08 July 2002 1:01 am, Ed Street wrote:
> > Hello,
> >
> > Dns lookups.
>
> Well, yes, obviously the way to resolve hostnames to IP addresses is
by
> DNS
> lookups :-)
>
> What I meant was, how does your script cope when you want to block
> something
> like, say, www.microsoft.com, and the DNS lookup returns 6 different
IP
> addresses, from two different class C ranges (which is what I just got
> by
> doing a dig on the name) ?
>
> > Note some cases the /netmask is somewhat overkill.  I felt
> > better safe than sorry, incase they have a block of ip's.
>
> I'd have thought it unlikely that a hostname would resolve to multiple
> contiguous IPs.   If a company has enough load that they're running
> multiple
> servers, they're probably doing it on multiple feeds as well, which
will
> have
> widely differing IP addresses.....
>
>
>
> Antony.
>
> > -----Original Message-----
> > From: netfilter-admin@lists.samba.org
> > [mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
> > Sent: Sunday, July 07, 2002 7:57 PM
> > To: netfilter@lists.samba.org
> > Subject: Re: hosts.deny
> >
> > On Monday 08 July 2002 12:48 am, Ed Street wrote:
> > > Hello,
> > >
> > > Sure attached is the hosts.trashcan file I am currenly testing.
> >
> > Interesting.   How does your script handle resolving machine names
to
>
> IP
>
> > addresses (as shown in several examples in your trashcan file) when
>
> one
>
> > name
> > corresponds to several IPs ?
> >
> >
> >
> > Antony.

RE: hosts.deny

[George Vieira]

spoofed as in local IP coming in from the internet..
this is what I mean..

#-- hosts.allow
ALL: 192.168.0.

#-- iptables
iptables -A INPUT -s 192.168.0.0/24 -i eth1 -j DROP  # eth1=internet

that's some attacks but doesn't stop DOS attacks which hackers end up in the
local machines IP(local access).. that's when you need other software to
protect it (ie. tripwire, etc..)

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk]
Sent: Monday, 08 July 2002 9:29 AM
To: netfilter@lists.samba.org
Subject: Re: hosts.deny


On Monday 08 July 2002 12:24 am, George Vieira wrote:

> I thought iptables and linux could block spoofed ips anyway.. this is a
> last resort..

How do you block a spoofed IP ?   How do you know it's spoofed ?

 

Antony

Re: hosts.deny

[Antony Stone]

On Monday 08 July 2002 12:36 am, George Vieira wrote:

> spoofed as in local IP coming in from the internet..

I call that ingress filtering.

I regard spoofing as an incoming connection with a plausible but false source 
address, typically used on Denial of Service attacks, either to disguise the 
true source of the attack, and/or to cause an active IDS to block access to 
networks you really don't want to block.

 

Antony.

RE: hosts.deny

[Ed Street]

Hello,

This is most commonly seen in spam mail.

Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
Sent: Sunday, July 07, 2002 7:44 PM
To: netfilter@lists.samba.org
Subject: Re: hosts.deny

On Monday 08 July 2002 12:36 am, George Vieira wrote:

> spoofed as in local IP coming in from the internet..

I call that ingress filtering.

I regard spoofing as an incoming connection with a plausible but false
source 
address, typically used on Denial of Service attacks, either to disguise
the 
true source of the attack, and/or to cause an active IDS to block access
to 
networks you really don't want to block.

 

Antony.

Re: hosts.deny

[Antony Stone]

On Monday 08 July 2002 12:49 am, Ed Street wrote:

> Hello,
>
> This is most commonly seen in spam mail.

I most commonly see it in port scans, and probes for http / sql holes.

Spam mail may contain misleading headers (until you get to learn where to 
stop reading the machine names, and realise that the headers have been rigged 
from that point on), but they can't disguise the real IP address of the relay 
machine which fed the mail into the smtp chain...

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
> Sent: Sunday, July 07, 2002 7:44 PM
> To: netfilter@lists.samba.org
> Subject: Re: hosts.deny
>
> On Monday 08 July 2002 12:36 am, George Vieira wrote:
> > spoofed as in local IP coming in from the internet..
>
> I call that ingress filtering.
>
> I regard spoofing as an incoming connection with a plausible but false
> source
> address, typically used on Denial of Service attacks, either to disguise
> the
> true source of the attack, and/or to cause an active IDS to block access
> to
> networks you really don't want to block.
>
>
>
> Antony.

Re: hosts.deny

[Martin Tomasek]

[-- Attachment #1: Type: text/plain, Size: 468 bytes --]

> I most commonly see it in port scans, and probes for http / sql holes.

You cannot use random spoofed ip adresses with stateful protocol such as
tcp. In tcp is possible to do only SYN floods with random ips -- which
could be solved for example by syncookies.

What you see in portscans or probes are real ips (excluding some
portscan types, which uses "proxy" host).

-- 
Martin Tomasek, mtd@email.cz
BOFH excuse #293:
You must've hit the wrong anykey.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: hosts.deny

[Antony Stone]

On Monday 08 July 2002 1:14 am, Martin Tomasek wrote:

> > I most commonly see it in port scans, and probes for http / sql holes.
>
> You cannot use random spoofed ip adresses with stateful protocol such as
> tcp.

Not if you want the connection to succeed, you can't, no - but if you're just 
trying to fill up some log files with misleading IP addresses, hoping to 
disguise the real ones which succeed in connecting, there's no reason you 
can't use a spoofed address for TCP.

> In tcp is possible to do only SYN floods with random ips -- which
> could be solved for example by syncookies.
>
> What you see in portscans or probes are real ips (excluding some
> portscan types, which uses "proxy" host).

Nmap, one of the commonest port scanners around, typically uses a 'half open 
SYN scan', and it can be told to liberally pepper the packets sent to the 
target machine with SYNs from false addresses (false as in they don't belong 
to the attacker; they may or may not exist as real addresses on some other 
machine).   Only the SYN/ACKs sent back to the real attacker's machine 
contribute to getting a result on the port scan, but the system being scanned 
can't tell which ones those are.

 

Antony.

RE: hosts.deny

[George Vieira]

Most of the http and sql scans are viruses I found.

in regards to sendmail, use a spam filter using sendmail 8.12 and spamcop or
something..

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk]
Sent: Monday, 08 July 2002 9:56 AM
To: netfilter@lists.samba.org
Subject: Re: hosts.deny


On Monday 08 July 2002 12:49 am, Ed Street wrote:

> Hello,
>
> This is most commonly seen in spam mail.

I most commonly see it in port scans, and probes for http / sql holes.

Spam mail may contain misleading headers (until you get to learn where to 
stop reading the machine names, and realise that the headers have been
rigged 
from that point on), but they can't disguise the real IP address of the
relay 
machine which fed the mail into the smtp chain...

Antony.