I DID IT! Achieved security perfection!

[wayne_abx]

Hey Finalheaven,

Keep it up man..

Fraoch
The more I read on Clark Connect the more I like, I never heard of it until you started posted about it Thanks for posting your experience with it.

-wayne

[Fraoch]

Yep, it's pretty cool - last niggling thing is getting it to work through the WAN port of the router. A crossover cable shows electrical connection but that's about it - I can no longer connect to the CC box and I get no Internet connection either.

But yes, it stopped a very persistent attacker who started last night and came back tonight, finally giving up about 4 hours ago. 97 attacks! I never knew this stuff before.

Regarding stealthing ports and stopping pings, aren't these GOOD things? Don't the bad guys work as follows:

- random pings
- port scan any replies
- if open ports are detected, walk right in
- if closed ports are detected, bang away at them until you get them open

Am I wrong in this thinking?

So aren't stealthing ports and stopping ping responses a good countermeasure?

[PCBruiser]

Fraoch. I hope you have kept the firewall logs, because I would report that attacker in the harshest possible polite terms to their ISP. And I would also check to see if that IP is also recorded on MyNetwatchman and DShield to add that info to your report to the ISP.

Your analysis is essentially correct, and that is why stealthing helps, of course. But, there is another essential firewall feature that works to prevent attackers from entering your LAN, SPI. So even if they do somehow manage to collapse the protections of a stealthed/closed port, SPI is sitting there to prevent unrequested packets from entering your LAN. And if you have unbound TCP/IP from your LAN's file sharing protocols, and are using IPX/SPX for internal communications on the LAN, even if they do get by the port blocking and SPI, they then have the problem of getting past using TCI/IP and converting the packets into IPX/SPX, which are non-routable over the internet, and do not use IP addresses in the first place. Furthermore, while NAT is not a firewall, it does also help prevent attackers seeing the internal machines in the first place because they have to bypass the many to one IP conversions that NAT in your router provides.

So, in short, if you are using a good firewall with port stealthing and SPI, plus NAT and IPX/SPX on your LAN with TCP/IP unbound from your LAN protocols, they have a very tough job to actually gain access to a local system. And, if they get by all of that, that's why I have a good software firewall on my local systems as well, that they still have to face and bypass. Good protection, set up with many layers, becomes just too hard, robots can't do it, a live person has to, and most just won't waste the time with a properly hardened LAN unless they know that the reward is worth the effort.

[switch_abx]

Another way to protect your LAN is to use IPSecurity (ipsec) within the LAN. However your router must support ipsec (VPN). In this case you don't need to use IPX/SPX within your LAN to insulate the LAN.

[Fraoch]

Quote:

Originally Posted by switch

Another way to protect your LAN is to use IPSecurity (ipsec) within the LAN. However your router must support ipsec (VPN). In this case you don't need to use IPX/SPX within your LAN to insulate the LAN.

Hmm...I thought IPsec was for VPN activities only - which I'm never going to do?

[PCBruiser]

Quote:

Originally Posted by switch

Another way to protect your LAN is to use IPSecurity (ipsec) within the LAN. However your router must support ipsec (VPN). In this case you don't need to use IPX/SPX within your LAN to insulate the LAN.

That is another alternative as well.

A little OT, but some ISPs are getting much more serious about this whole problem and have een adding commercial type protections both at their gateway routers and also at their local routers as well. Comcast has, for example, and the number of serious attacks that I have seen in the last few months has dropped dramatically from 40 - 50 per day to 2 - 3 per day at this point. And, they are also getting serious about spam and embedded trojans/viruses stripping them from email before they ever reach your inbox. Now, they can't stop everything, malware downloaded and installed by users is impossible to prevent with today's technology, and newer attacks, such as the jpeg vunerability are inevitable. But, they are clearly troubled with all the service complaints and the cost of fixing problems for noob users who get compromised, and the pain level has gotten high enough that they have been forced to protect their subscribers whether they have local protections or not. They arent perfect, nothing really is, but they are at least trying to do something about this at their level finally.

[TCM]

Quote:

Originally Posted by Endaar

I'll bite. What client-side functions would he have likely broken by blocking ICMP? As you note, FTP should not break by blocking ICMP packets. Nor should anything else.

Endaar

rfc1191 for starters. then, how do you think your client gets notice of a closed udp port? that's right, with icmp. a host not reachable? oh, icmp again. icmp isn't just "ping" and "pong".

blocking icmp gives zero security increase while breaking tons of other stuff. blocking icmp doesn't magically cover other security holes a host might expose. i wonder where the can't-ping-me-can't-hack-me stance is coming from.

along the same lines, blocking RST (oh, i forgot, "stealthing") most likely causes a connecting host to try again several times until it gives up. it's right that ports where no service is listening should be "blocked" by a firewall to prevent a backdoor/trojan from receiving packets by setting a port to listen. but blocking should happen in a way that the firewall replies with RST, not that it drops all requests silently.

to repeat, "can't see me, most likely won't hack me" is obscurity, not security.

ps: i find the "i'll bite" particularly amusing.

edit: quick google: http://alive.znep.com/~marcs/mtu/

[TCM]

Quote:

Originally Posted by Fraoch

- if open ports are detected, walk right in
- if closed ports are detected, bang away at them until you get them open

Am I wrong in this thinking?

what the hell? 110% wrong i'd say.

first, an open port doesn't mean anyone can "walk right in". an open port means some application is listening for connections on that port. to break into a system that application must have some security hole, i.e. it can be send malicious data that causes it to overflow some buffer or similiar. if an attacker can cause the application to execute code that he send it, then he effectively "broke into" the system.

a closed port is closed. how do you think you could cause that port to "open"? remember, an open port means an application is running that is listening on that port. if anyone could cause applications to start and listen on ports from the outside by hammering a closed port, then you wouldn't need to hack the resulting open port, don't you think?

edit: the difference between a closed port and a "stealthed" port (i hate this buzzword, really) is that your system doesn't reply with "no service on that port, move along". that's it.

imagine a street with houses. this street is your computer (more specifically, the interior of the houses are your computer. the street is public). the houses represent ports. each house has a number. now imagine there's a garage sale. you can go to specific houses where the doors are open and the owner is standing in the door. you see the owner and can ask him to offer service to you. the house owner is the application. each house owner is normally a strong guy, thus there's no way to get into the house and do things you aren't allowed to. sometimes, house owners are tricked by saying "look, a horde of flying elephants" where he then looks above and you can sneak into his house. that's the equivalent of microsoft software.

now, a closed port is the equivalent of a closed door. if you ring the bell you can only hear a voice saying "no garage sale here. nothing here for you. go away". the door never opens.

a "stealthed" port is the equivalent of you ringing the bell with no reply. you may think the owner just overheard the bell and you ring again and again. depending on your patience you might give up after 3 rings or go on all day. the door never opens as well, obviously.

now, don't take the analogy too far by thinking "hey, i could just slam the door hard enough to break it open". it doesn't work that way. the only way to get into the house is to have the owner open the door and trick the owner. if the door is shut, no house for you, ever.

[Fraoch]

Hmm...I thought it was on the GRC site where he said there are tools to open ports reported as closed, but I can't find it there now.

[TCM]

Quote:

Originally Posted by Fraoch

Hmm...I thought it was on the GRC site where he said there are tools to open ports reported as closed, but I can't find it there now.

umm, i call bs but if you can find it, i'll look at it and tell you what it really does.

[Fraoch]

It's hard to find because I can't configure a port to show as "closed" so GRC doesn't tell me anything about it.

[Finalheaven]

Can anyone tell me what TCM's problem is and how even got to abx in the first place? Isn't he the type we are exactly safe from on these forums?

[switch_abx]

he must have a row with his wife or girlfriend and steams off here at ABXZone.

Quote:

Originally Posted by Finalheaven

Can anyone tell me what TCM's problem is and how even got to abx in the first place? Isn't he the type we are exactly safe from on these forums?

[PCBruiser]

OK, guys. The thing is that TCM has a point. Perhaps he might have made it in a little forceful manner, but he has a valid point nonetheless.

[TCM]

the problem? this thread.

how i got here? check the register button. you must know it since you're here as well so i don't understand the question.

and what do you mean, the type you want to be safe from? my arrogant part will never go away when faced with utter bull**** and fake knowledge. deal with it. in case you don't know what i mean, allow me to refer to the thread subject again. mind you, i'm only trying to oppose the subject and statements, not anyone personally.