[Dshield] ...so much hurt trough hacking one day...

André Costa brblueser at uol.com.br
Wed Nov 27 23:57:49 GMT 2002


Hi Bruce (Campbell -- two Bruces in a single msg! ;) )

thks for the tip, I didn't know there was such a thing as a 'bogus
identd' -- specially for Windows. I will look around for such a thing.

Best,

Andre

----- Original Message -----
From: "Bruce Campbell" <bruce.campbell at ripe.net>
To: <list at dshield.org>
Sent: Wednesday, November 27, 2002 7:30 PM
Subject: Re: [Dshield] ...so much hurt trough hacking one day...


> On Tue, 26 Nov 2002, [iso-8859-1] André Costa wrote:
[snip]
> > Well, while I agree that port 113 might definitely be a target for
exploits,
> > and that it shouldn't be necessary to keep it opened, I cannot say
things
> > run 100% fine if I just block it here. I have two boxes here: my dad's
> > running Win98 (I know, I know... I hate this "sub-OS" too, but it suits
his
> > needs fine, so...) and my box with Linux and Win2000. My dad's SMTP
server
> > times out some attempts (usually the first ones) if I don't allow it to
poke
> > port 113. Also, xchat on Linux hangs for a little while (3-5s) before
> > establishing a connection if port 113 is simply blocked.
>
> You can (after referring to the CERT list of course) obtain an ident
> daemon that responds with random gibberish should someone tickle it
> (preferably only from machines that you're making connection attempts to;
>  RFC1413 sect 3 to the contrary, some ident daemons to allow you to
>  query for connections that your machine is making to other, unrelated to
>  the machine making the query, machines)
>
> This solves the two problems of not releasing any information about your
> logged in users, and keeping apparent latency to a minimum.  (its not
> latency at your end, just the remote computer attempting to get some
> response on the ident port and waiting for said response).
>
> Note that remote users could still work out what general class of computer
> you have by that program's response (eg, that looks like fake ident Foo,
> which runs only on windows), however I suspect that they would have
> already have guessed this by other behaviour exhibited by your computer.
>
> --
>   Bruce Campbell.
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.419 / Virus Database: 235 - Release Date: 13/11/2002




More information about the list mailing list