RE: GCI filtering port 139?

From: Christopher Erickson <cerickson@gci.net>
Date: Wed Dec 29 2004 - 00:01:22 AKST

IP filtering is a rotten form of security.

Way too easily circumvented and/or exploited.

-Christopher Erickson

> -----Original Message-----
> From: aklug-bounce@aklug.org
> [mailto:aklug-bounce@aklug.org]On Behalf Of
> Beau V.C. Bellamy
> Sent: Tuesday, December 28, 2004 9:49 PM
> To: aklug@aklug.org
> Subject: Re: GCI filtering port 139?
>
>
> Uhm... I'm gessing you guys arn't familier with IP
> filtering. He is
> talking about locking it down to one IP address. This
> should be fine.
> Unless, of course, the attacker finds out which ip address
> it's locked down
> to, then starts spoofing it. I really only see this as a
> risk with people
> you have told the IP to and those who lie in the intervening
> or adjacent
> networks. In this case: Local Network, GCI, upstreams, ACS,
> Remote Network.
> Proper routing rules should mitigate the posibility of
> spoofing from outside
> sources. This is assuming that GCI, ACS, and their upstreams
> have this
> functionality in place. *caveat* I've been wrong in assuming
> such things
> before.
>
> In other words, I am disagreeing with certain others here on
> list about the
> severity of the risks associated with leaving an SMB server
> on the internet
> in the configuration your specified. I think you are
> definately a lot safer
> with this approach. There are still risks involved, though,
> much less so.
> Ultimately, i'd recommend an encrypted tunneling system
> anyway. The choice
> is yours.
>
> Sincerely,
> - Beau
>
> On Tuesday 28 December 2004 19:42, KURT BRENDGARD wrote:
> > short answer: YES!!!!!!
> >
> > long answer: YES!!!!!!! how important is that box to
> > you? you set it up with those ports open, it wont take
> > long till somebody figures out its there and starts in
> > on it(2 scripts, one to find, one to try owning). even
> > if its netbsd, it wont take them long to figure out
> > its not windows and fingerprint the box to see what it
> > is(another script). once they do that, they start
> > looking up what holes there are in it(posted on
> > various sites for all to read). those ports are some
> > of the most looked for on the net, simply because most
> > windows boxes listen on them, even if they are
> > hidden/closed/protected. and the tools to own boxes
> > are scripts free for the download. simply put, those
> > are among the last ports you want open to the
> > internet, on any system.
> >
> > if you do do it, at least back the box up, youll need
> > it.
> >
> >
> >
> > ------------------------------
> >
> > Date: Mon, 27 Dec 2004 17:11:55 -0900
> > From: Grant Stockly <grant@cmosxray.com>
> > Subject: re: GCI filtering port 139?
> >
> > Its a netbsd box running samba with one share, one
> > user, and an
> > ipfilter
> > for one IP address. Do I really need more?
> >
> > At 11:56 AM 12/26/2004 -0800, KURT BRENDGARD wrote:
> > >whats your ip addy ?? i could use some more storage
> > >for my files :>
> > >
> > >you should never ever ever open those ports to the
> > >internet, unless you WANT somebody to own you. the
> > >newer windows boxes can be set up to virtual private
> > >network with few(for windows) problems. i'm assuming
> > >you have a firewall of some kind, (if not, set one
> >
> > up,
> >
> > >better the script kiddies own your firewall and give
> > >you more time to protect your server. its one more
> > >layer of protection they have to go through) they are
> > >not that spendy now days. most of them now come with
> > >vpn built in as well. if you set up a linux firewall,
> > >you can set up one on that. if its a stationary box
> > >you are using to vpn in, you could set up vpn to vpn
> > >firewalls, but that allows the whole network to use
> > >your files as well.
> >
> > __________________________________
> > Do you Yahoo!?
> > Take Yahoo! Mail with you! Get it on your mobile phone.
> > http://mobile.yahoo.com/maildemo
> > ---------
> > To unsubscribe, send email to <aklug-request@aklug.org>
> > with 'unsubscribe' in the message body.
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Dec 29 00:13:01 2004

This archive was generated by hypermail 2.1.8 : Wed Dec 29 2004 - 00:13:02 AKST