[Dshield] ...so much hurt trough hacking one day...

Bruce Campbell bruce.campbell at ripe.net
Wed Nov 27 21:30:02 GMT 2002


On Tue, 26 Nov 2002, [iso-8859-1] André Costa wrote:

> From: "Bruce Lilly" <blilly at erols.com> To: <list at dshield.org> Sent:
> Tuesday, November 26, 2002 5:48 PM Subject: Re: [Dshield] ...so much
> hurt trough hacking one day...
>
> > Port 113 connects are not necessarily harmless and can be quite
> > dangerous in a number of ways:
> > 1. There are known exploita against some ident (a.k.a. auth) servers.
> >     Search CERT for port 113, ident, auth
> > 2. The ident protocol may reveal information which you would prefer
> >     not to disclose to nosy individuals. It can return information
> >     about the type and version of OS on your computer, id of logged in
> >     users, etc., all of which is invaluable to hackers.
> >
> > Here, port 113 connection attempts are dropped and logged, and the logs
> > submitted to Dshield.

Whoa there boy.  If your computer is making connections to the Internet
(outgoing smtp etc), you're probably going to be automatically tickled on
your ident port (depending on what the remote machine is doing).

So submitting logs to dshield regarding ident requests coming in from
machines that you have made an outgoing connection to is a bit on the
hypocritical side.  Machines that you haven't made outgoing requests to,
thats a different story.

> > Ftp and smtp work fine and I don't use IRC.
> > Nobody needs to know what OS is in use here or who is logged in at
> > any given time.
>
> Well, while I agree that port 113 might definitely be a target for exploits,
> and that it shouldn't be necessary to keep it opened, I cannot say things
> run 100% fine if I just block it here. I have two boxes here: my dad's
> running Win98 (I know, I know... I hate this "sub-OS" too, but it suits his
> needs fine, so...) and my box with Linux and Win2000. My dad's SMTP server
> times out some attempts (usually the first ones) if I don't allow it to poke
> port 113. Also, xchat on Linux hangs for a little while (3-5s) before
> establishing a connection if port 113 is simply blocked.

You can (after referring to the CERT list of course) obtain an ident
daemon that responds with random gibberish should someone tickle it
(preferably only from machines that you're making connection attempts to;
 RFC1413 sect 3 to the contrary, some ident daemons to allow you to
 query for connections that your machine is making to other, unrelated to
 the machine making the query, machines)

This solves the two problems of not releasing any information about your
logged in users, and keeping apparent latency to a minimum.  (its not
latency at your end, just the remote computer attempting to get some
response on the ident port and waiting for said response).

Note that remote users could still work out what general class of computer
you have by that program's response (eg, that looks like fake ident Foo,
which runs only on windows), however I suspect that they would have
already have guessed this by other behaviour exhibited by your computer.

-- 
  Bruce Campbell.




More information about the list mailing list