netfilter bypassed by nessus using UDP packets with
source port 53
blancher at cartel-securite.fr
Fri Apr 1 15:24:58 CEST 2005
Le vendredi 01 avril 2005 à 08:59 +0200, grumpy a écrit :
> > Have you checked if this alert is true, and not some false positive ?
> You are right, I do not know how to check this
You could just hping your box on a port you would listen with netcat and
see if data you send it received.
> In that case nessus would think the packets it sent to port 1-65635
> (except 22 and 3000) went through as well. Wouldn't it ?
Not for TCP. Because TCP normal behaviour for a closed port is to send a
RST/ACK. As you send an ICMP port unreachable, Nessus detects port is in
> nessus told me something like that :
> "the remote host does not discard TCP SYN packet which have FIN flag
> set. This can allow an attacker to defeat your firewall rules set"
Notice the "can". There has been packet filters that got fooled by
SYN/FIN packets, because they didn't see them as SYN packets, although
destination host did. That's not the case with Linux.
> According to you, this is a false positive
I think so.
> Since, it is impossible to prevent somebody to get the timestamp (if I
> am not mistaken), I think I will try this :)
You can try this (I think it's a better way to filter you stuff) and
still block timestamp in TCP packets :)
# echo 0 > /proc/sys/net/ipv4/tcp_timestamps
PS : just beware a typo in my previous post (forgot the ACCEPT target
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
More information about the netfilter