sleath port scanning fix

Superuser (root@IO.STARGATE.CO.UK)
Sun, 07 Sep 1997 16:33:16 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Darren Reed: "Re: sleath port scanning fix"
Previous message: Superuser: "Security hole in Linux TCP stack (2.1.53 and all the rest)"
Next in thread: Darren Reed: "Re: sleath port scanning fix"

Hi, as I said in a previous message linux 2.1.53, and probably all other versions,
allows port scanning by sending FIN-only (no ACK) packets and seeing if one
gets an RST packet. IF one does not then the port is listenning. Here is a patch
to linux/net/ipv4/tcp_input.c that stops that working and gives you a message
in the log telling you the port number and source IP address. When you see
all the open ports from one IP address you have grounds for writing to the ISP
and watch the cracker's account disappearing (in a puff of greasy green
smoke, perhaps).

Duncan (-:
(Alan Cox also included in recipients)

--- tcp_input.c.orig Sun Sep 7 16:01:32 1997
+++ tcp_input.c Sun Sep 7 16:24:38 1997
@@ -1548,9 +1548,9 @@
/* These use the socket TOS..
* might want to be the received TOS
*/
- if(th->ack)
- return 1;
-
+ if(th->ack)
+ return 1;
+
if(th->syn) {
if(tp->af_specific->conn_request(sk, skb, opt, 0) < 0)
return 1;
@@ -1574,7 +1574,11 @@
goto discard;
}

- goto discard;
+ /* SECURITY FIX: stop port scanning with packets that do not
+ * set either ACK or SYN (e.g. just FIN).
+ */
+ printk("Warning: possible attempt at \"sleath\" port scaning: port %d, source IP %s\n", noths(skb->h.th->dest), in_ntoa(skb->nh.iph->saddr));
+ return 1;
break;

case TCP_SYN_SENT:

Next message: Darren Reed: "Re: sleath port scanning fix"
Previous message: Superuser: "Security hole in Linux TCP stack (2.1.53 and all the rest)"
Next in thread: Darren Reed: "Re: sleath port scanning fix"