LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-05-2001, 06:10 AM   #1
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Talking


Guys and Gals,

Does anyone know how to set TCP's MSS default value, on a Linux 7.x system?

I've told my Linux box not to discovery the MTU of the networks path without a MSS value from a responding host.

However this doesn't help me.
Basically I'm trying to get my Linux box to confuse Nmap's OS fingerprint identification method and to do this I need to change the default MSS that's sent out with the first SYN packet from my box.

Thanks
/Raz
 
Old 06-05-2001, 05:13 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,001
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
its under /proc/sys/net/core/ as rmem and wmem stuff.
 
Old 06-06-2001, 03:33 AM   #3
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Original Poster
Rep: Reputation: 31
cheers unSpawn, I'll check it out.

Thanks,
Raz
 
Old 06-06-2001, 05:32 AM   #4
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
Nmap fails to fingerprint my machine, its just got most of its ports set to DENY so nmap doesn't get enough back to make a proper fingerprint.

Jamie...
 
Old 06-06-2001, 06:16 AM   #5
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Original Poster
Rep: Reputation: 31
Yeah same here, when the firewall is up nothing can get a fingerprint on my box as rejected packets don't give enough info.

I'm trying to change this from a non-firewalled box.

Cheers,
Raz
 
Old 06-06-2001, 06:18 AM   #6
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
Quote:
Originally posted by razbot
Yeah same here, when the firewall is up nothing can get a fingerprint on my box as rejected packets don't give enough info.

I'm trying to change this from a non-firewalled box.
Sounds cool, any chance you can post the results of your efforts - could be useful in the future.

Cheers.

Jamie...
 
Old 06-06-2001, 06:20 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,001
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
Jamie,

Ure fw marks itself as "Linux 2.1.122 - 2.2.16" tho.
(soz for me pryin around)
 
Old 06-06-2001, 06:26 AM   #8
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
Quote:
Originally posted by unSpawn
Jamie,

Ure fw marks itself as "Linux 2.1.122 - 2.2.16" tho.
(soz for me pryin around)
Na worries - I've played with some of the rules recently and haven't done a full external portscan for a while. Might have to look into that one!!

Jamie...
 
Old 06-06-2001, 08:11 AM   #9
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Original Poster
Rep: Reputation: 31
Jamie,

Sorry but I though I would also have a look too.

Just building on your last comment, if you have any open port like from your httpd, then if you don't get the TCP handshake to show different handshake info, like the stuff I'm attempting to modify on my box, then people will be able to work out the OS.

Your box responds with:
TSeq(Class=RI%gcd=1%SI=190FDB%IPID=I%TS=100HZ)
T1(Resp=Y%DF=Y%W=7F53%ACK=S++%Flags=AS%Ops=MENNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=7F53%ACK=S++%Flags=AS%Ops=MENNTNW)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Which is Linux 2.2.16

Also if you close/filter all the ports then I can still find out the OS type, as your firewall needs to filter out ICMP type 13 requests. "windows boxes don't implement this type"

Also you should disable ICMP type 8. "ping requests"

Other then that your rules are set-up well.

Also don't DENY packets, REJECT them as your can work out the filters your running as the pckets never come back, REJECT makes it look like the port is not used.

On a different note there is a server on that same subnet as yours that could cause a DOS attack on your subnet, as it's misconfigured and responded to me when I was asking your firewall to tell me if it was susceptible to broadcast pings. "smurf"

/Raz

[Edited by razbot on 06-06-2001 at 10:36 AM]
 
Old 06-06-2001, 11:35 AM   #10
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
Quote:
Originally posted by razbot
Also don't DENY packets, REJECT them as your can work out the filters your running as the pckets never come back, REJECT makes it look like the port is not used.

On a different note there is a server on that same subnet as yours that could cause a DOS attack on your subnet, as it's misconfigured and responded to me when I was asking your firewall to tell me if it was susceptible to broadcast pings. "smurf"
The reason I am DENYing is to slow down anyone who is port scanning me, as your port scanner will try a few times before its gives up. REJECTing will just let them get onto the next port that little bit faster.

As for the other machine on the Subnet - it does't surprise me! I'm on a Telewest cablemodem and most people just have them hooked straight into a Windows box with no firewall so I imagine they'll soon be getting used for DDoS attacks soon enough

cheers for the input!

Jamie...
 
Old 06-07-2001, 06:28 AM   #11
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Original Poster
Rep: Reputation: 31
You have a good point, but.

When you use something like nmap to scan, you can start off with the accepted but closed unprivileged ports, then it gets an idea of the timings for DENYed ports, so it's just wizzzzssss through them. also got a cool option called --max_rtt_timeout

As for the DOS from the other system, just add these to your firewall script and problem gone.

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

+ block incoming type 8 ICMP requests.

/Raz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
T42 with fingerprint reader for SUSE Beni Suse/Novell 2 01-07-2005 04:23 PM
Fooling a HTML document? eantoranz Programming 11 11-11-2004 07:42 AM
fingerprint--- help? shagan Linux - General 0 09-23-2004 01:02 AM
fingerprint sensors with sdk in linux gsm Linux - Hardware 1 05-14-2004 02:46 AM
After fooling around with sessions a .xsession-errors - but no apparent error! Ac. K. Linux - Software 7 01-15-2004 02:01 AM


All times are GMT -5. The time now is 12:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration