6/14 I have written a program that "pipes" port1 to port2 on a machine
[so if you do say telnet foo 25 that can automatically send to
to port 19, chargen]. Is there a way to grab all the unbound ports
and map them to chargen, to deter people scanning my machine? Will
that be an expensive program to run? I don't want to launch one
version of the process for each port. Thanks!
\_ Why are you even doing this? You're reinventing the wheel.
Just use the IP firewall rules built into your OS to port
forward a range of ports.
\_ I want to turn this on and off. Also not all OSes support
IP firewall. Would like to do this at the application level.
Can you tell me how to listen on all the unbound ports like
inetd?
\_ Sheesh, get a real os. What are you using? win 3.1?
\_ It's actually a vintage box; running a hacked-up
TCP/IP stack for CP/M. I'm using it as a low-load
web server
\_ inetd doesn't listen on all unbound ports - it listens on
the ports listed in inetd.conf. You could write a program
that looped through all possible port numbers and bound them
(if your OS supports opening 64k fd's in a single process)
but that would prevent any other app from being able to bind
a listening port.
\_ N0H0ZERZ!
\_ If the ports are unused what's the big deal? You can't stop
a scan. And if you have insecure services running on other
ports, your program won't help that either. What are you
trying to do? What's the point? Your program won't do
anything useful for you.
\_ An easier thing to do is run FreeBSD 4.x and in /etc/rc.conf set
tcp_restrict_rst="YES" This will cause connections to ports with
nothing listening to hang until timed out. This pretty much kills
portscanning. --dbushong
\_ Who cares? Let em scan. Security through obfuscation and
irritation is not security. You're only slowing down the
inevitable.
\_ If you don't believe in "security through obfuscation"
you won't mind sharing all your passwords with me.
\_ That's different. A password is obscure in a
way that in order to crack it, you need to
try a bunch of random combinations before you
can get it right. Security through obscurity
is where a backdoor exists but you just hid it
somewhere. It's the difference between a key
to your house and hiding that key under the mat.
The key is like the password. Hiding the key
under the mat the the obscure part. Obviously,
most prowlers will usually look under the mat
first before actually cracking the windows.
\_ A password is not obfuscation. Hiding your buggy
service on a random port and making it hard to scan
is obfuscation. Given a few extra minutes your
s00per sekret buggy service will turn up. My ssh
passphrase won't. You know I could give you my
ssh passphrase and it won't help you get into any
of the machines I run but you wouldn't undersand
why. Damn, it's so sad there's no real ugrad
security classes. It shows.
\- i was thinkign about writing a something to wedge
the iss scanner specifically. am trying to decide
whether to do it at a tcp level [long time outs etc.]
or generate random data on port 80, when talking to
nfsd, mountd etc. i am also thinking about using
xinetd. would be interested in more discussion on
this. --psb |
http://csua.com/feed/