LeRoy Cressy on Thu, 30 Jan 2003 10:21:05 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] firewall risk


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From a security point of view you do not want all ports open from inside your your firewall to the outside. With masquerading everything is open and something might come back throught to hurt you. Thus you should only open up the ports that you really need to communicate on the Internet.

for instance:
ftp, http, mail, https, ssh, and etc are the ones that you could have open. So setting up specifis rules for communication across the Internet is in your best interest. What would happen if you set up masquerading and a worm came back through on a port that you had open because of masquerading? How many times has some malicious code attacked your system?


Here are some lines from my log on my firewall:

Jan 26 07:06:44 friendly kernel: Nimda virus IN=eth0 OUT=eth2
	SRC=66.56.85.40 DST=192.168.10.1 LEN=112 TOS=0x00 PREC=0x00
	TTL=111 ID=22077 DF PROTO=TCP SPT=2583
	DPT=80 WINDOW=17520 RES=0x00 ACK PSH URGP=0

Jan 26 08:07:34 friendly kernel: Dropped Internet IN=eth0 OUT=
	MAC=00:40:05:3a:33:a5:00:02:3b:00:3d:c3:08:00 SRC=80.55.130.78
	DST=66.92.109.218 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=55479
	DF PROTO=TCP SPT=1355 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0

Jan 26 08:16:29 friendly kernel: Dropped from eth0 IN=eth0 OUT=
	MAC=00:40:05:3a:33:a5:00:02:3b:00:3d:c3:08:00 SRC=66.212.80.73
	DST=66.92.109.218 LEN=404 TOS=0x00 PREC=0x00 TTL=123 ID=7972
	PROTO=UDP SPT=1501 DPT=1434 LEN=384

Jan 26 09:17:41 friendly kernel: Dropped Internet IN=eth0 OUT=
	MAC=00:40:05:3a:33:a5:00:02:3b:00:3d:c3:08:00 SRC=216.191.83.15
	DST=66.92.109.218 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=35793 DF
	PROTO=TCP SPT=4744 DPT=1433 WINDOW=64240 RES=0x00 SYN URGP=0

I think that the port 1434 was the MS SQL worm this weekend. These are just an example of what a firewall can do for you. Also using a Linux or BSD firewall enables extensive logging that allows you to see what your firewall is doing for you and where the attack might be coming from. Also on the security side you do not want any services running on your firewall because if there is a problem with the service then your firewall and every other machine on your net might be compromised. Also, you should not allow ssh logins on the firewall from the Internet or from any publically accessable box.

My own mother was attacked by a worm because she did not take security serious enough.


Jeff Abrahamson wrote:
All the discussion about firewalls aside, if a machine is running no
services available to the outside world, how can an attacker break in?

That is, suppose I make the naive argument that I only run sshd on
port 22, so all other ports get denied anyway by dint of having
nothing listening (not even inetd). Why bother with ip tables beyond
masquerading?

(I'm pretty sure this is wrong, I just don't know why.)



- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\
http://lrcressy.com ( o.o )
Phone: 215-535-4037 > ^ <


gpg fingerprint:  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA

Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQE+OUD1P+/m2oUBr+oRAg88AJ4pDDoiS04vWNpS41MRUPqZtst57ACfYvm0
JzIf46KSKOC9WHHqoX/7lOQ=
=ELaj
-----END PGP SIGNATURE-----

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug