LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-23-2004, 07:55 AM   #1
mykrob
Member
 
Registered: Jun 2004
Location: Jackson, TN
Distribution: Kubuntu Feisty
Posts: 606

Rep: Reputation: 31
Total stealthing


Hey-
i'm using Suse Pro 9.1. I ran a "Shields Up" test yesterday on "all service ports", and all my ports are showing to be stealthed except one. This un-stealthed port is closed, however.
This is relatively good, i guess, but it also shows :

Quote:
Solicited TCP Packets: RECEIVED (FAILED) - As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection.


and



Ping Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.
how do i fix these minor issues and go "Stealth Mode" (that sounds cool )


-myk
 
Old 07-23-2004, 01:00 PM   #2
foo_bar_foo
Senior Member
 
Registered: Jun 2004
Posts: 2,553

Rep: Reputation: 51
i think

/usr/sbin/iptables -A INPUT -p icmp -j DROP

aught to shields you up
 
Old 07-23-2004, 01:02 PM   #3
mykrob
Member
 
Registered: Jun 2004
Location: Jackson, TN
Distribution: Kubuntu Feisty
Posts: 606

Original Poster
Rep: Reputation: 31
can you explain what all this means?

Thanks,
-myk
 
Old 07-23-2004, 01:45 PM   #4
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 47
ICMP - Internet Control Message Protocol.

It handles pings (echo request and replies) and several other additional functions like letting the system know that the remote system is unreachable, etc.

This link will help you understand better.
Quote:
/usr/sbin/iptables -A INPUT -p icmp -j DROP
The above rule blocks all icmp traffic that are directed to your system. Not a big deal unless your system is doing a routing function on the net.

Last edited by ppuru; 07-23-2004 at 01:47 PM.
 
Old 07-23-2004, 02:01 PM   #5
mykrob
Member
 
Registered: Jun 2004
Location: Jackson, TN
Distribution: Kubuntu Feisty
Posts: 606

Original Poster
Rep: Reputation: 31
Thanks,
i'll forward this info to another user with the same question at PCPitstop.


one more thing, is this a permanent change, or will i need to do this each time i reboot?

-myk
 
Old 07-23-2004, 02:31 PM   #6
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 47
You would need to save the iptables rules so it can be called during boot time...

iptables-save??? in SuSE?
 
Old 07-23-2004, 05:34 PM   #7
mykrob
Member
 
Registered: Jun 2004
Location: Jackson, TN
Distribution: Kubuntu Feisty
Posts: 606

Original Poster
Rep: Reputation: 31
hmmm. igot the same results in my shields up test. Anything else i can try?

-myk
 
Old 07-24-2004, 05:38 AM   #8
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Quote:
ing Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.
Yes and no. I do not agree with this description. ICMP is an important infrastructure of networking and it is often used for load balancing. Dropping ICMP, especially if you're housing a server is technically wrong. If you do your work right, a ping is only a ping.
Limiting the number of ping for avoiding DoS is ok, avoiding network discoveries in ok but not dropping all icmps...
but it's only my opinion
 
Old 07-24-2004, 11:40 AM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Try inserting (I) it at the top of the ruleset:
/usr/sbin/iptables -I INPUT -p icmp -j DROP

FWIW TheIrish is correct, in that blocking all ICMP traffic is against RFC specs and can also cause Path MTU discovery failure, which can sometimes lead to connectivity issues. So, it's rather unfortunate that GRC doesn't explain the consequences of completely blocking ICMP on their site.
 
Old 07-24-2004, 12:13 PM   #10
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 47
you can also

iptables -t nat -I PREROUTING -p icmp -j DROP

This will simply discard any icmp traffic at the gate.
 
Old 07-24-2004, 04:37 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I'd really avoid doing packet filtering in the PREROUTING chain. The PREROUTING chain only checks the very first packet in a stream, but none of the subsequent packets are checked. In most circumstances (including this one), it's not an issue, but it can open your firewall up completely in some circumstances and therefore it's normally recommended to avoid doing so if at all possible.
 
Old 07-24-2004, 10:50 PM   #12
SciYro
Senior Member
 
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
its discouraged to use chains for things they are not meant for, can cause a few problems

and yes, disabling ICMP can lead to problems, as your computer also wont get info on the state of a network if you drop all of these packets, maybe something like

iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -A INPUT -p icmp -j DROP

this allows all related traffic, like a error sent back to you by icmp, this should prevent connectivity issues, if you want to use it only from icmp just use

iptables -A INPUT -m state --state RELATED -p icmp -j ACCEPT

instead...

to block pings other then with iptables you can disable it at the kernel level: browse thru the /proc system

let me go see if i can track the folder here down here ....

got it i think

/proc/sys/net/ipv4

I'm guessing you know what to do from here...
 
Old 07-25-2004, 11:52 AM   #13
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Quote:
iptables -A INPUT -m state --state RELATED -p icmp -j ACCEPT
maybe I'm wrong, but I'm not sure it would work. Aren't ICMPs stateless?
 
Old 07-27-2004, 01:01 AM   #14
SciYro
Senior Member
 
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
i was under the impression (from what i hear around sites) that icmp traffic generated from established connections are then related traffic... tho i might be wrong, i have no way to 100% test it out on my system
 
Old 07-27-2004, 12:46 PM   #15
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Quote:
Originally posted by TheIrish
maybe I'm wrong, but I'm not sure it would work. Aren't ICMPs stateless?
Yeah but like UDP, there are still fields in the packets that stateful firewalls can use to determine if it is part of a connection. Source and destination addressess, type/codes or ports, and maybe the ID #.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Total stealthing borrrden Linux - Security 1 09-19-2004 08:01 PM
Stealthing Open Router Ports ghight Linux - Security 8 02-19-2004 11:05 AM
stealthing port 113 danielw Linux - Security 4 12-21-2003 04:53 AM
Stealthing port 113 B McHack Linux - Distributions 1 11-16-2003 06:14 PM
Stealthing all ports Stephanie Linux - General 10 07-26-2002 12:00 PM


All times are GMT -5. The time now is 06:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration