[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Re: cobalt-security digest, Vol 1 #259 - 7 msgs
- Subject: Re: [cobalt-security] Re: cobalt-security digest, Vol 1 #259 - 7 msgs
- From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
- Date: Sun, 4 Mar 2001 18:58:00 +0000 (GMT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Sun, 4 Mar 2001 kcelik@xxxxxxxxxxxxxx wrote:
> Thanks For the comments,
>
> In actuall fact we did do a Portscan and found several ports vulnarable.
> These were identdresp,bindvrs all others were ok( We used ISS portsscan
> tools)( should be ok )
If ISS showed bind as vun, then you are in trouble.
> what we also did was sniff the net witha scope and capture some traces.
> Each time we managaed to get almost the start of the conversation and then
> we lost the initating packet.
>
> The worry hjere is that the Trin00 deamon can be activated via ICMP aswell
> wich makes it even more fustrating as there are tonnes of the packs
> floating at anyone time within the network. ARP's ICMP redirectand SNMP
> all require ICMP for route determination.
>
> The likely hood of a Sniffer program on our ethernet is minimal as it is
> colocated and locked up to anybody but us. we have checked this and it is
> impossible.
Is it bollocks. Somebody owns your box with elite-exploit-37.c and
installs generic-sniffer.c. Or they own something else on the same
hub/switch and install dsniff, and use the ARP redirect feature to sniff
telnet and SSH (dsniff supports proper man-in-the-middle attacks of SSH
and SSL, I've tried it).
> The bind version we are running is the latest patch from Cobalt.
> RaQ3-All-Security-4.0.2-9353.pkg. If this is incorrect than Cobalt
> have something to answer for!!!!!!!
Ok, you installed the patch, but did you stop and start named? If you
didn't do this, then bind 8.2.2 is still running, hence the fact you were
owned.
> Anyways It seems my only recourse is rebuild . This will take me a while .
>
> So a Question to and for the learned of us. How do I turn off directed
> Broadcasts on my Baynetworks ARN router to minimise the UDP traffic being
> generated by the cobalt.
I'm sorry, I don't want to start a flame war here, but 'the learned of
us'?
To disable ICMP redirects from Linux (ie on the Cobalt only)...
# Disable ICMP Redirects
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]
then
echo -e "\t\tDisabling ICMP redirects"
for i in /proc/sys/net/ipv4/conf/*/accept_redirects
do
echo 0 > $i
done
fi
If the router doesn't filter source-routed packets you could also do that
from Linux...
# Disable source-routed packets
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]
then
echo -e "\t\tDisabling source-routed packets"
for i in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $i
done
fi
# Log spoofed, source-routed, or redirected packets
if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]
then
echo -e "\t\tTurning on logging of 'Martian' packets"
for i in /proc/sys/net/ipv4/conf/*/log_martians
do
echo 1 > $i
done
fi
> I have looked at blocking port 27444 and 27454 slave master ports via
> filters on the router but is there more????
Regards.