Mr. Wilmot, Have you verified that your custom-compiled TCP Wrapper completes the TCP/IP three-way handshake or the inetd daemon? I am doubting it does. If it is inetd, then there is no way your TCP Wrappers can monitor services in inetd.conf file without making them appear open. No matter what TCP Wrapper does, by the time the TCP Wrapper gets the contol of the connection from inetd, the inetd daemon already gave away the sign that those ports that are controlled with tcpd are open just by completing the three-way handshake. It really takes one packet for the scanning host to identify the open ports: SIN/FIN packet after SYN packet requresting for connection.... If you choose to continue to use TCP Wrapper, you must consider what you don't get to see as well. With all the port scanners that are out there for free, many can easily perform stealth scan that never completes the three-way handshake. TCP Wrapper will never report of any unauthorized connection request. Ethan Kane Ng Pheng Siong <ngpsat_private> wrote: On Mon, May 19, 2003 at 11:12:28AM -0700, Wilmot, Fred wrote: > Great comments. Thank you for the input on various packages available > to support a poor man's intrusion detection tool. Unfortunately, I have > a design task to figure out how to use TCP Wrappers to do such a thing, I've always wondered: With TCPwrappers, your system gets into the TCP handshaking; with packet filters, your system does not. Might there be cases where bugs in the TCP/IP implementation make your system vulnerable to DOS or other attacks in the former case, but not the latter? (Back when I first wondered this, (about '96, during the first reported synflood?) I switched from TCPwrappers to packet filters. Never actually checked this out. ;-) -- Ng Pheng Siong _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis --------------------------------- Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sat Jun 14 2003 - 23:03:11 PDT