I am trying to run a PCI compliancy check on my server but it is failing for one reason.
Code:
Summary:
UDP constant IP Identification field reveals host type
Risk: High (3)
Port: 139/tcp
Protocol: tcp
Threat ID: misc_udpipidzero
Details: 10/01/09
CVE 2002-0510
When sending packets which are not fragmented, the UDP implementation in Linux kernels sets the
Identification field in the IP header to a constant
value, namely zero. This behavior, when observed by a
remote user, can be used to determine that the operating
system is Linux. Knowledge of a remote operating system
gives potential attackers a starting point for planning an attack.
Now I am not even sure why port 139 is setting it off as I have my set my iptables rules to explicitly drop both udp and tcp on port 139 but it doesn't matter. Here is the iptables rule I am using to block that port in case I am doing it wrong.
Code:
iptables -A INPUT -p tcp --dport 139 -j DROP
iptables -A INPUT -p udp --dport 139 -j DROP
Has anyone heard of this problem before? Is there a kernel patch or module to remove this behavior? I am running Debian on a 2.6.32-5 kernel. Google searches have turned up little. I am stuck up against a wall here. Any point in the right direction would be most helpfull.
