[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: disable listen on ports
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: disable listen on ports
- From: "Arnaud Bergeron" <abergeron_(_at_)_gmail_(_dot_)_com>
- Date: Mon, 3 Apr 2006 12:12:46 -0400
On 4/3/06, Joachim Schipper <j_(_dot_)_schipper_(_at_)_math_(_dot_)_uu_(_dot_)_nl> wrote:
> On Mon, Apr 03, 2006 at 11:11:22AM +0530, Niklaus wrote:
> > On 4/2/06, Chris Kuethe <chris_(_dot_)_kuethe_(_at_)_gmail_(_dot_)_com> wrote:
> > > On 4/2/06, Niklaus <niklaus_(_at_)_gmail_(_dot_)_com> wrote:
> > > > > what problem are you really trying to solve?
> > >
> > > really, what problem are you trying to solve? the fact that you have
> > > untrusted users?
> > >
> > > > I understand the tunnelling through ssh part.
> > > > Can you explain what reverse telnet is . I don't get it.
> > Users here on my system are running proxy servers like socks proxy and
> > downloading stuff which is banned on squid proxy. This is a mail and
> > devel server, so all of the users have ssh and gcc accounts .They
> > compile the proxies they get on sourceforge and i really can't kill
> > all the processes because there are too many users. They are just like
> > a redirectors. I don't want any user other than root to listen on any
> > port.
> I'd be inclined to both say 'let them' and 'filtering is best done at
> the firewall' (and yes, that's a separate machine).
> However, telling pf to block all outgoing traffic is enough.
> What you want to do - 'stop listeners', though, would require filtering
> the lo0 device as well. That should work, but is likely to be far from
> And, as Chris pointed out below, filtering for listeners doesn't really
> Really, the proper solution is to tell pf to block all outgoing traffic,
> then whitelist what you need. This shouldn't be too much - you could
> whitelist Squid by user, and the rest is likely to be simple (domain,
> possibly ssh, possibly imap(s)/pop(s), smtp if you are feeling lucky).
Or you could block all traffic to and from ports > 1024. That would
stop any proxies they might run. The ports below 1024 do require to
be root to open a listen socket to them.
> > > assume have an http proxy listening on 127.0.0.1 on your machine.
> > > assume you've disabled port forwarding in sshd_config so i can't
> > > tunnel to my proxy.
> > > i then change my proxy program to i connect back to a listener
> > > (netcat?) on my remote machine at which point i have a tcp connection
> > > through which i can forward my http requests to make them look like
> > > they're coming from your box.
> > >
> > > this sort of trick is easy to whack together... probably 10 or 15
> > > minutes if you're ripping code straight out of "learning perl" without
> > > knowing what you're doing. no doubt there's stuff in ports that can be
> > > used too.
> > >
> > > CK
"i think we should rewrite the kernel in java since it has good
support for threads." - Ted Unangst
Visit your host, monkey.org