Author: Benjamin D. Thomas
for the Linux kernel, xboing, pwlib, tcpdump, and libxml2. The distributors
include Debian, Fedora, FreeBSD, and Mandrake.
Knock Knock, Who’s There?
One of the more recent rumblings
in the open source community is the concept of port knocking. This technique
involves a daemon listening for a particular knock sequence. A knock is established
by a client trying to make a connection to a closed port. If the client provides
the correct sequence, the server modifies its firewall rules to allow access
to a specific port for that user. For example, the system may be configured
to open up port 22 if the correct information is sent across a series of connection
attempts.
Port knocking is not a security
silver bullet. Like most controls, is merely another layer. It can work well
in conjunction with IP based access controls and standard forms of user authentication.
Because it can be considered a sophisticated form of security by obscurity,
one should not rely on port knocking alone. Rather, it can be used to provide
an additional level of protection.
For those of you interested in port
knocking there is a wonderful resource available at
Portknocking.org. The site includes a firewall primer, sample port knocking software written in
PERL, C, Java, and Python, enough documentation to get started, and a FAQ.
The PERL implementation includes
a knockclient and knockdaemon. They both include enough documentation to install
it. Port knocking providesa great way to hide services that are rarely used.
However, it does not take the place of strong passwords/keys, other forms of
authentication, and server patching. Usage of port knocking does not mean that
it is alright to run a severely outdated version of OpenSSH. It may prevent
some compromises, but does not eliminate the possibility.
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity
Feature Extras:
Innovative
Open Source Approach to Combating Email Threats
– Guardian Digital, the world’s premier open source security company, has
introduced Content and Policy Enforcement (CAPE) technology, an innovative
open source software system for securing enterprise email operations.Interview
with Vincenzo Ciaglia, Founder of Netwosix
– In this article, a brief introduction of Netwosix is given and the project
founder Vincenzo Ciaglia is interviewed. Netwosix is light Linux distribution
for system administrators and advanced users.Introduction
to Netwox and Interview with Creator Laurent Constantin
– In this article Duane Dunston gives a brief introduction to Netwox, a combination
of over 130 network auditing tools. Also, Duane interviews Laurent Constantin,
the creator of Netwox.[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]
| Distribution: | Debian | ||
| 2/27/2004 | kernel | ||
| MIPs platform update Several local root exploits have been discovered recently in the Linux 2.4.x |
|||
| 2/27/2004 | xboing | ||
| Buffer overflow vulnerabilities can be exploited by a local attacker to gain gid “games”. |
|||
| 3/1/2004 | libapache-mod-python Denial of service vulnerability |
||
| Buffer overflow vulnerabilities Fixes a bug which allows a malformed query string to crash the corresponding |
|||
| 3/2/2004 | kernel | ||
| 2.2.x Privilege escalation vulnerability It turned out that a second (sort of) vulnerability is indeed exploitable |
|||
| 3/3/2004 | kernel | ||
| 2.2.x (alpha) Privilege escalation vulnerability This is the alpha-chip version of the kernel 2.2.x patch Debian released |
|||
| 3/4/2004 | libxml/libxml2 Buffer overflow vulnerability |
||
| 2.2.x (alpha) Privilege escalation vulnerability When fetching a remote resource via FTP or HTTP, the library uses special |
|||
| Distribution: | Fedora | ||
| 3/2/2004 | pwlib | ||
| Denial of service vulnerability Using carefully crafted messages, an attacker can bring about denial of |
|||
| 3/3/2004 | tcpdump | ||
| Multiple vulnerabilities Carefully crafted packets can cause denial of service in tcpdump, or execute |
|||
| 3/3/2004 | kernel | ||
| 2.4.x Privilege escalation vulnerability Rollup rpms fix recently reported kernel vulnerabilities in Red Hat 7.2-8. |
|||
| 3/4/2004 | tcpdump | ||
| Multiple vulnerabilities Crafted packets could result in a denial of service, or possibly execute |
|||
| Distribution: | FreeBSD | ||
| 2/27/2004 | kernel | ||
| Improper access vulnerability Jailed processes can attach to other jails. |
|||
| 3/3/2004 | kernel | ||
| Denial of service vulnerability Out-of-sequence tcp packets can be used to execute a low-bandwidth DoS attack. |
|||
| Distribution: | Mandrake | ||
| 3/4/2004 | pwlib | ||
| Denial of service vulnerability Severity would vary based on the application, but likely would result in |
|||
| 3/4/2004 | libxml2 | ||
| Buffer overflow vulnerability Under certain circumstances, this bug could be remotely exploited to execute |
|||
