[please fix your rather broken line-wrapping]
On Fri, Apr 23, 2004 at 12:28:19PM +0200, Hochstrasser Benedikt wrote:
> Matthew Byng-Maddick wrote:
>> Hochstrasser Benedikt wrote:
>>> IMHO the firewall /is/ properly configured when it silently drops the
>>> auth packet. (They are evil, you know. <g>) Apart from that, a Windows
>>> system doesn't know about ident anyway.
>> Then it should be returning a RST. End of story. Silently dropping stuff
>> is a way to pretend that your network is broken. How fantastically useful.
> The main reason for this is to slow down port scanning. Nearly every firewall
> setup suggests to use "stealth mode" (aka drop packet).
That's of dubious security benefit, since automated exploit systems will
often just try and send the exploit code to you anyway. In the case of
identd, why should the receiver/server SMTP try and make things easier if
your broken firewall policy dictates that you should drop things you don't
want to deal with. If you want to break your network, then you can wait for
me to time out my request.
>> You may or may not understand the purpose of ident, from the above statement,
>> it looks like you don't. (...) The idea is that I log stuff about the
>> connection (...) If you're not running a multi-user system, there is no
>> reason to run an identd
> Ident has been abused many times to harvest [potential] email addresses. If I
> wanted to trace my users's connections then I have a firewall or proxy
There is a simple answer to this. Run an identd that gives you crypted
output.
> log. Plus, Windows doesn't offer it and most smtp gateways are to be
> considered "single user".
Unless you're dealing with something that's talking to one of those
gateways. I don't know about you, but I mostly don't know what type
of machine I'm talking to when I listen on port 25. (most of them seem
to be compromised windows boxes, but that's neither here nor there). I
can't tell if it's a "gateway" or a "multi-user box". Windows may not
offer it, but should, at the very least send me a RST when I try to
connect to the port. If it decides to silently drop the packet, then it
can damned well wait while I time out the connection.
>>> (FWIW I have a dummy identd running here just to appease other nosey
>>> servers, but I'd prefer not having to use that at all)
>> How useful, why not just not listen on the port?
> We connect to sites that require ident queries to be answered. (They
> didn't require the answers to be accurate, though <g>)
What sites and services require ident? The only one I've ever seen *require*
an ident is IRC. Most other services query it and log it if it exists, which
is, as it's supposed to be. I don't think a server is "nosey" if it asked for
it; after all, you connected to that server.
>> Not giving out RSTs for closed ports is almost always the wrong thing to do.
>> (It goes, in my mind, hand in hand with blocking ICMP ECHO-REQ "for
>> security reasons", or even better, blocking all ICMP, leading to weirdness
>> when the machine doesn't believe in ICMP TTL-EXCEEDED or ICMP MUST-FRAGMENT.
> I agree, most ICMP stuff is legitimate, blocking it makes no sense. OTOH
> there have been enough ICMP exploits to justify the blocking of at least
> some of them.
In my experience it is the same "firewall administrators" who believe in
stealth mode who miss the need for passthrough of MUST-FRAGMENT, and which
is normally a good way to break PMTU-D. They then wonder why weirdnesses
occasionally happen. Some have said that knowledge is like a two-way street,
none, or large amounts, and you're safe, but a little knowledge puts you in
the middle, which is where the cars are...
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/
(Please use this address to reply)
