Re: deny !Safe_ports, any critical reasons? (abuse..)

From: Peter van Dijk <[email protected]>
Date: Thu, 7 Jan 1999 16:00:29 +0100

On Thu, Jan 07, 1999 at 10:51:52PM +1300, Chris Wedgwood wrote:
> On Thu, Jan 07, 1999 at 02:24:01PM +1300, Jason Haar wrote:
>
> > acl unsafe_ports port 1 7 9 11 13 15 17 19 20 22 23 25 26 27 37 43
> > 53 57 70 77 79 87 88 95 101 102 103 109 110 110 111 111 113 115 117
> > 119 123 137 138 143 144 465 563 512 513 514 515 520 526 530 531 532
> > 540 543 544 556 600 749 750 751 754 992 993 995 989 990 442 465 563
> > 992 993 994 995 989 990 901 1080
>
> OK -- this still leaves plenty of ports people might do bad things
> with.
>
> I think a policy of 'allow all except some' is generally a bad idea;
> 'allow none except some' is better IMO.
>
> (Off the top of my head) Your list doesn't include 21 (ftp command),
> 139 (Windows NetBIOS), 135 (Windows DCOM), 1433 (MS SQL server), 7010
> (common Sybase SQL server), etc.

21 is needed to do FTP proxying...

> I could make this list as long as I wanted if I had the time to spend
> thinking about it (many protocols use different ports at differnet
> times).

3306, mySQL. I'm currently compiling a large database of portnumbers for
widely (and not-so-widely) used services which aren't listed in any
standards documents (like all those SQL servers, or port 3128 for Squid..)

This database is running here locally (PHP+mySQL) but will soon be moved
to a permanent connection, so you guys can all use it :)

When I'm online, you can find it at http://home.attic.vuurwerk.nl/services/

Oh.. and the comments are in Dutch.. but the interface should be
intuitive (to me it is, anyway :)

> > I basically scanned my services file for known services and told
> > Squid not to allow those ports - but to allow everything else.
>
> Why?
>
> > I agree with you that the best idea is to scan your logs to see
> > what ports people are using...
>
> Why -- I only allow people to use connect with 443 and 563 -- I see
> no reason for them to use a squid proxy a connection on any other
> port.

Agreed.

> > I think this is a real nasty piece of work - for us it's not "a
> > problem" as only our users can use our Squid server and we trust
> > our users ;-)
>
> Many people can't trust their users -- it's just not possible to
> trust spottle little 12-year old kidz who download c00l WaReZ and
> play with exploits found on rootshell and bugtraq...

Didn't you just LOVE sshdwarez.c? The greatest hack of the year.. a f*cking
trojan. Hacked 3 script kiddies with it :)

Greetz, Peter.

-- 
<squeezer> AND I AM GONNA KILL MIKE                |          Peter van Dijk
<squeezer> hardbeat, als je nog nuchter bent:      | peter@attic.vuurwerk.nl
<squeezer>   @date = localtime(time);		   |  realtime security d00d
<squeezer>   $date[5] += 2000 if ($date[5] < 37);  | 
<squeezer>   $date[5] += 1900 if ($date[5] < 99);  |    -x- available -x-
Received on Thu Jan 07 1999 - 08:04:02 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:55 MST