Following Situation: Having an intranet-application that needs to know the ip-Address of the clients before running. Clients anywere in the Internet with any ip-address. So I thought about using masquerading the opposite way than normal. But then anybody could use this application. Dos anybody know how to make it a little bit more secure, like proofing the mac-address of the client, or something like this. Or maby with ip-ip-tunneling ? Michael Erhard
The problem with masquerading is that it does many-to-one NAT. Does your application support multiple connections from a single IP address? As far as securing it goes... how about this: I imagine that your application must use a specific set of ports. Use ipfwadm to block these ports by default. Make the users flog in via SSH or some other secure login type setup. Have a script running that, when they log in, will grab the IP address they log in from and use ipfwadm commands to open the ports for your application to the client''s IP address. You make another script that close sall these opened connections every night. This will make the user only have to log in once a day. I don''t know how this holds up against address spoofing but I don''t think spoofing is very useful without source-routing (which should always be turned off in your kernel config!)** ** Only 95% sure of this statement so please correct me if need be. My take is that source spoofing can only be used for break-in attacks when coupled with source-routing. Source routing is the only way to get spoofed packets back to the "real" source of the spoofed packets. Spoofing is still usable and difficult to trace for DoS attacks. Thanks. -----Original Message----- From: Michael Erhard [mailto:micha@andromeda.lalula.de] Sent: Tuesday, June 16, 1998 2:59 AM To: linux-security@redhat.com Subject: [linux-security] masquerading Following Situation: Having an intranet-application that needs to know the ip-Address of the clients before running. Clients anywere in the Internet with any ip-address. So I thought about using masquerading the opposite way than normal. But then anybody could use this application. Dos anybody know how to make it a little bit more secure, like proofing the mac-address of the client, or something like this. Or maby with ip-ip-tunneling ? Michael Erhard -- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe linux-security-request@redhat.com < /dev/null
>I don''t know how this holds up against address spoofing but I don''t >think spoofing is very useful without source-routing (which should >always be turned off in your kernel config!)** >** Only 95% sure of this statement so please correct me if need be. My >take is that source spoofing can only be used for break-in attacks when >coupled with source-routing. Source routing is the only way to get >spoofed packets back to the "real" source of the spoofed packets. >Spoofing is still usable and difficult to trace for DoS attacks.Actually as far as I am aware you do not need source-routing to sucessfully complete a spoofing attack. It of course is more difficult without source routing since you are blindly transmitting packets without seeing responses, but if you know what kind of input the good guy is going to expect and you know what kind of output the good guy is going to transmit you can sucessfully complete something such as a trust relationship explotation attack. Say machine A and B have a rlogin trust relationship allowing anyone from A to log into B and vice versa without a password. If you are on C and spoof A''s address while D.O.S.''ing A you can make a blind connection to B and transmit the correct packets to open the rlogin connection. This would then allow you to log into B as a user from A and open up a hole for yourself in the future by creating a .rhosts in the users home directory with a host that you have control over outside of their network. This attack is almost impossible through on a correctly configured UP TO DATE linux box since most DOS attacks that are known are fully patched in Linux. Although..who knows what will be figured out in an hour from now:( Because he would be using SSH, I would think a spoofing attack would be almost impossible, although with the recent holes found in ssh I can''t say that it is totally impossible. See Phrack Magazine issue 48 for a more detailed descussion of IP-spoofing. http://www.phrack.com Mike Cunningham