[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] ipchains logic/philosophy question
- Subject: RE: [cobalt-users] ipchains logic/philosophy question
- From: "Andy Brown" <andy.brown@xxxxxxxxxxxxx>
- Date: Wed Oct 16 01:24:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
<snip>
Thanks...I knew there must be a reason many run this package when most Raqs
are at the 'end of the street' and not used as a router... I concur on the
limits to IPs that need access to SSH and similar, but if I'm running _any_
publicly available service, the world 'knows' that there is a box there, so
I'm still unclear on the net-mapping claim.
</snip>
Hi Paul,
picture this scenario:
A hosting facility with ip addresses 100.100.100.1 to 100.100.100.200 <g>
A hacker wants to find the potential of hacking one of these 200 machines, and so portscans the entire range.
A portscan will return to them either:
port open
port closed
no responce
The first two make it clear, the port is open and serving requests (i.e. http port), port closed where the port exists on the machine, however some software isn't currently running on it, and finally no responce, the packet has disappeared as far as the hacker is concerned.
The thing to note first is that most portscanners (nmap, et al) will only inform the hacker of the first two types, and will NOT display to the user the no responce tag.
This is usefull, as now the hacker can have built up a picture of our ips like this:
100.100.100.1 80,22,23(c),443,1000(c)
100.100.100.2 80,22
100.100.100.2 80,22,23(c)
etc... (in that i've marked closed ports with the (c) )
As you rightly mention, we already know the server is up and running, so its not a matter of 'hiding' from the hacker, its more of a matter of limiting what they find out, in a bid to reducing the 'interesting' nature of your server.