POP3 in firewall

Nejc Skoberne nejc.skoberne at guest.arnes.si
Sat Jul 26 14:14:36 CEST 2003 

Zdravo.

14:02:29.847653 193.77.158.171.57635 > 193.95.241.200.pop3: S 3875215150:3875215150(0) win 5808 <mss 1412,sackOK,timestamp
159735868 0,nop,wscale 0> (DF) [tos 0x10]
14:02:29.847828 193.95.241.200.pop3 > 193.77.158.171.57635: S 2361329779:2361329779(0) ack 3875215151 win 5760 <mss
1452,sackOK,timestamp 21696375 159735868,nop,wscale 0> (DF)
14:02:29.874175 193.77.158.171.57635 > 193.95.241.200.pop3: . ack 1 win 5808 <nop,nop,timestamp 159735871 21696375> (DF) [tos 0x10]
14:02:29.879227 193.95.241.200.4254 > 193.77.158.171.auth: S 2357062135:2357062135(0) win 5808 <mss 1452,sackOK,timestamp 21696378
0,nop,wscale 0> (DF)
14:02:32.873363 193.95.241.200.4254 > 193.77.158.171.auth: S 2357062135:2357062135(0) win 5808 <mss 1452,sackOK,timestamp 21696678
0,nop,wscale 0> (DF)
14:02:38.873373 193.95.241.200.4254 > 193.77.158.171.auth: S 2357062135:2357062135(0) win 5808 <mss 1452,sackOK,timestamp 21697278
0,nop,wscale 0> (DF)
14:02:39.905410 193.95.241.200.pop3 > 193.77.158.171.57635: P 1:51(50) ack 1 win 5760 <nop,nop,timestamp 21697381 159735871> (DF)
14:02:39.930438 193.77.158.171.57635 > 193.95.241.200.pop3: . ack 51 win 5808 <nop,nop,timestamp 159736876 21697381> (DF) [tos 0x10]
14:02:41.967755 193.77.158.171.57635 > 193.95.241.200.pop3: F 1:1(0) ack 51 win 5808 <nop,nop,timestamp 159737080 21697381> (DF)
[tos 0x10]
14:02:41.969977 193.95.241.200.pop3 > 193.77.158.171.57635: F 51:51(0) ack 2 win 5760 <nop,nop,timestamp 21697587 159737080> (DF)
14:02:41.994217 193.77.158.171.57635 > 193.95.241.200.pop3: . ack 52 win 5808 <nop,nop,timestamp 159737083 21697587> (DF) [tos 0x10]

Ko se s klientom, ki ima firewallan auth port pop3-jam na server,
traja kaksnih 4-5 sekund, da se pop3 session vzpostavi. Kot je
razbrati iz zgornjega tcpdump loga je videti, da je ta cas porabljen,
ko pop3 streznik hoce na 3x priti na auth port od klienta (ce port ni
firewallan, je delay zelo majhen, ker hitro rece "connection refused"
in v tem primeru ni tezav). Tudi ce nastavim firewall da auth port ne
DROPa ampak REJECTa, se zgodi isto (zakaj pa?).

Zanima me, ali s tem ce port 113 vseeno odprem (identd ne laufa! torej
je port "closed") naredim kaksno varnostno luknjo?

Edina ki mi pade na pamet je ta da lahko nekdo potem, ce rootne box,
uporablja 113 za povezavo s svojim rootkitom.

Kako ostali to resujete? A to pocnejo vsi POP3 strezniki?

Hvala.

-- 
Nejc Skoberne
Grajska ulica 5
SI-5220 Tolmin
nejc.skoberne at infrax.si

More information about the lugos-list mailing list