SEO

I used nmap commands to do fingerprint test on OpenBSD 3.3, here is the
result:

(The 65530 ports scanned but not shown below are in state: filtered)
Port State Service
22/tcp open ssh
23/tcp closed telnet
80/tcp open http
2222/tcp open unknown
8888/tcp closed sun-answerbook
Remote operating system guess: OpenBSD 3.1 on an Alpha
It seems that my PF rule can't prevent fingerprint scan.

Please see the PF rules as attached below:

scrub in all fragment reassemble
block drop in log all
block drop in log quick on tun0 inet from 10.0.0.0/8 to any
block drop in log quick on tun0 inet from 172.16.0.0/12 to any
block drop in log quick on tun0 inet from 192.168.0.0/24 to any
block drop in log quick on tun0 inet from 0.0.0.0 to any
block drop in log quick on tun0 inet from 255.255.255.255 to any
block drop in log quick on tun0 inet from 127.0.0.0/8 to any
block drop in log quick on tun0 inet proto tcp all flags FPU/FPU
pass in on lo0 all
pass in quick on fxp0 all
pass out quick on fxp0 all
block drop in log quick on tun0 inet proto udp from any to 255.255.255.255
pass out quick on tun0 proto tcp all flags S/SA keep state
pass out quick on fxp0 proto tcp all flags S/SA keep state
pass out quick on tun0 proto udp all keep state
pass out quick on fxp0 proto udp all keep state
pass in on tun0 proto tcp from any to any port = ssh flags S/SA keep state
pass in on fxp0 proto tcp from any to any port = ssh flags S/SA keep state
pass in on tun0 proto tcp from any to any port = 2222 flags S/SA keep state
pass in on fxp0 proto tcp from any to any port = 2222 flags S/SA keep state
pass in on tun0 proto tcp from any to any port = telnet flags S/SA keep
state
pass in on fxp0 proto tcp from any to any port = telnet flags S/SA keep
state
pass in on tun0 proto tcp from any to any port = 8888 flags S/SA keep state
pass in on fxp0 proto tcp from any to any port = 8888 flags S/SA keep state
pass in on tun0 proto tcp from any to any port = www flags S/SA keep state
pass in on fxp0 proto tcp from any to any port = www flags S/SA keep state

How to change my PF rules to prevent fingerprint scan on OpenBSD?

thanks
sam

On Fri, 29 Aug 2003 08:36:25 +0800, "sam" <samwun@hgcbroadband.com>
said the following:

>I used nmap commands to do fingerprint test on OpenBSD 3.3, here is the
>result:

>Remote operating system guess: OpenBSD 3.1 on an Alpha

>It seems that my PF rule can't prevent fingerprint scan.

>block drop in log quick on tun0 inet proto tcp all flags FPU/FPU

>How to change my PF rules to prevent fingerprint scan on OpenBSD?

Good query. I thought your rule (the one I left behind) should be
able to handle scans. Evidently it doesn't. I would really like to
know the answer. Anyone?

> >It seems that my PF rule can't prevent fingerprint scan.
>
> >block drop in log quick on tun0 inet proto tcp all flags FPU/FPU
>
> >How to change my PF rules to prevent fingerprint scan on OpenBSD?
>
> Good query. I thought your rule (the one I left behind) should be
> able to handle scans. Evidently it doesn't. I would really like to
> know the answer. Anyone?

sysctl -w net.inet.tcp.recvspace=65536
sysctl -w net.inet.tcp.sendspace=65536
sysctl -w net.inet.tcp.sack=0

Index: sys/sys/protosw.h
================================================== =================
RCS file: /cvs/src/sys/sys/protosw.h,v
retrieving revision 1.9
diff -u -r1.9 protosw.h
--- sys/sys/protosw.h 2003/06/02 23:28:21 1.9
+++ sys/sys/protosw.h 2003/08/29 04:08:14
@@ -90,8 +90,8 @@
int (*pr_sysctl)(int *, u_int, void *, size_t *, void *, size_t);
};

-#define PR_SLOWHZ 2 /* 2 slow timeouts per second */
-#define PR_FASTHZ 5 /* 5 fast timeouts per second */
+#define PR_SLOWHZ 5 /* 2 slow timeouts per second */
+#define PR_FASTHZ 10 /* 5 fast timeouts per second */

/*
* Values for pr_flags.


--
"The laws in this city are clearly racist. All laws are racist.
The law of gravity is racist."
- M. Barry, Mayor of Washington, DC

Ted Unangst wrote:
> ================================================== =================
> RCS file: /cvs/src/sys/sys/protosw.h,v
> retrieving revision 1.9
> diff -u -r1.9 protosw.h

Will this patch make it into current or is it just a special version for
the OP?

MK

Ted Unangst wrote:

>> >It seems that my PF rule can't prevent fingerprint scan.
>>
>> >block drop in log quick on tun0 inet proto tcp all flags FPU/FPU
>>
>> >How to change my PF rules to prevent fingerprint scan on OpenBSD?
>>
>> Good query. I thought your rule (the one I left behind) should be
>> able to handle scans. Evidently it doesn't. I would really like to
>> know the answer. Anyone?
>
> sysctl -w net.inet.tcp.recvspace=65536
> sysctl -w net.inet.tcp.sendspace=65536
> sysctl -w net.inet.tcp.sack=0
>

Additionally obfuscate ttl:
sysctl -w net.inet.ip.ttl=71

EJ
--
Remove the obvious part (including the dot) for my email address

On Fri, 29 Aug 2003, M Khomo wrote:

> Ted Unangst wrote:
> > ================================================== =================
> > RCS file: /cvs/src/sys/sys/protosw.h,v
> > retrieving revision 1.9
> > diff -u -r1.9 protosw.h
>
> Will this patch make it into current or is it just a special version for
> the OP?

it essentially halves all the tcp timeouts. that could be considered
broken behavior. but it will help fool various tools which measure the
rate at which things change. so no, not a chance for being committed.



--
"The brave men who died in Vietnam, more than 100% of which were
black, were the ultimate sacrifice."
- M. Barry, Mayor of Washington, DC

In article <Pine.GSO.4.44.0308300621450.2162-100000@saga16.Stanford.EDU>,
Ted Unangst wrote:
> On Fri, 29 Aug 2003, M Khomo wrote:
>> Ted Unangst wrote:
>> > ================================================== =================
>> > RCS file: /cvs/src/sys/sys/protosw.h,v
>> > retrieving revision 1.9
>> > diff -u -r1.9 protosw.h
>>
>> Will this patch make it into current or is it just a special version for
>> the OP?
>
> it essentially halves all the tcp timeouts. that could be considered
> broken behavior. but it will help fool various tools which measure the
> rate at which things change. so no, not a chance for being committed.

Instead of breaking things for world domination, openbsd people start
breaking things for security. Neat. Committing this would indeed be a
icing on the cake of sorts.

--
j p d (at) d s b (dot) t u d e l f t (dot) n l .

sorry, as I travelled to somewhere for a week, so I miss all the replies.
Can anyone resend me a way to prevent fingerprint in OpenBSD 3.3?

thanks
sam

"jpd" <read_the_sig@do.not.spam.it> wrote in message
news:bit439$b97$1@news1.transmedia.de...
> In article <Pine.GSO.4.44.0308300621450.2162-100000@saga16.Stanford.EDU>,
> Ted Unangst wrote:
> > On Fri, 29 Aug 2003, M Khomo wrote:
> >> Ted Unangst wrote:
> >> > ================================================== =================
> >> > RCS file: /cvs/src/sys/sys/protosw.h,v
> >> > retrieving revision 1.9
> >> > diff -u -r1.9 protosw.h
> >>
> >> Will this patch make it into current or is it just a special version
for
> >> the OP?
> >
> > it essentially halves all the tcp timeouts. that could be considered
> > broken behavior. but it will help fool various tools which measure the
> > rate at which things change. so no, not a chance for being committed.
>
> Instead of breaking things for world domination, openbsd people start
> breaking things for security. Neat. Committing this would indeed be a
> icing on the cake of sorts.
>
> --
> j p d (at) d s b (dot) t u d e l f t (dot) n l .

On Sun, 7 Sep 2003 22:25:59 +1000, "sam" <samwun@hgcbroadband.com> wrote:

>sorry, as I travelled to somewhere for a week, so I miss all the replies.
>Can anyone resend me a way to prevent fingerprint in OpenBSD 3.3?
>

Use groups.google.com and learn before applying this nonsensical fix.

you haven't a clue how to recompile a kernel and yet you are fretting about
minor threats from an nmap fingerprint.

Tweaking the timeouts to obfuscate the fingerprint will do SFA to protect
you if any of the following

22/tcp open ssh
23/tcp closed telnet
80/tcp open http
2222/tcp open unknown
8888/tcp closed sun-answerbook

are incorrectly configured and/or have bugs allowing code to be executed
remotely.


greg
--
$ReplyAddress =~ s#\@.*$##; # Delete everything after the '@'
Who lives in a pineapple under the sea? Absorbent and yellow and pourous is he!
If nautical nonsense be something you wish! Then drop on the deck and flop like a fish!