Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Nov 2008 22:37:23 +0100
From:      =?ISO-8859-1?Q?Eirik_=D8verby?= <ltning@anduin.net>
To:        freebsd-security@freebsd.org
Cc:        Pieter de Boer <pieter@thelostparadise.com>
Subject:   Re: Dropping syn+fin replies, but not really?
Message-ID:  <876D0973-A384-4567-8E61-771E96E8A65A@anduin.net>
In-Reply-To: <49299876.4020702@thelostparadise.com>
References:  <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net> <49299876.4020702@thelostparadise.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Nov 23, 2008, at 18:52, Pieter de Boer wrote:

> Eirik =D8verby wrote:
>
>> I have a FreeBSD based firewall (pfsense) and, behind it, a few =20
>> dozen FreeBSD servers. Now we're required to run external security =20=

>> scans (nessus++) on some of the hosts, and they constantly come =20
>> back with a "high" or "medium" severity problem: The host replies =20
>> to TCP packets with SYN+FIN set.
> I'd consider this at most a 'low' severity problem.

Agreed.


>> Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the =20=

>> host in question (recent FreeBSD 7.2-PRERELEASE) have =20
>> net.inet.tcp.drop_synfin=3D1 - I would therefore expect this to be a =20=

>> non-issue.
> Given security tools' (including Nessus') track records of false
> positives, I wouldn't be surprised if this was one of them.

They generate a lot of others, too, mostly due to insufficient or =20
downright bogus identification of services. Since when did "pound ssl =20=

proxy" equal "aladdin web server"? And since when was it common to run =20=

Apache 2.0.23 for Linux on FreeBSD 7.0? Not to mention all the windows-=20=

specific vulnerabilities I'm supposedly open to.


>> Have I missed something important? Apart from this the hosts and =20
>> services get away without any serious issues, but the security =20
>> audit company insists this so-called hole to be closed.
> It's not a hole, but could possibly aid in bypassing filtering rules
> (which is quite unlikely in this day and age). It may be wise to =20
> find a
> security company that knows how to interpret and verify Nessus output.
>
> If you want to do verification yourself, you could try the following:
> - Run tcpdump on one of the servers and on the firewall
> - Run nmap from an external host using the '--scanflags SYNFIN' flag
> with destination the server.
>
> You can let tcpdump only show specific ports and source/destination
> addresses. It's probably useful to use nmap to scan both ports you =20
> know
> to be open and in use and ports that are filtered. Using the -p option
> to nmap, you can specify which ports to scan.
>
> Perform the nmap scan and look at the tcpdump output to see how your
> firewall and/or server react.

nmap command:
nmap -PN -sT --scanflags SYNFIN -p<port> anduin.net
where <port> was either 80 (open) or 8585 (closed).

tcpdump command on firewall (which NATs to internal IPs):
tcpdump -i <interface> -p -vvv host alge.anart.no and \(port 80 or =20
port 8585\)
where <interface> was the publicly facing interface on the firewall.

Results for port 80:
  IP (tos 0x0, ttl  59, id 12785, offset 0, flags [DF], proto: TCP =20
(6), length: 64) alge.anart.no.40283 > 213.225.74.230.http: S, cksum =20
0xa720 (correct), 3300467486:3300467486(0) win 16384 <mss =20
1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2747936488 0>
  IP (tos 0x0, ttl  63, id 10914, offset 0, flags [DF], proto: TCP =20
(6), length: 60) 213.225.74.230.http > alge.anart.no.40283: S, cksum =20
0x8ef5 (correct), 347647336:347647336(0) ack 3300467487 win 65535 <mss =20=

1460,nop,wscale 3,sackOK,timestamp 2946365534 2747936488>
  IP (tos 0x0, ttl  59, id 33877, offset 0, flags [DF], proto: TCP =20
(6), length: 52) alge.anart.no.40283 > 213.225.74.230.http: ., cksum =20
0x7dbd (correct), 1:1(0) ack 1 win 16384 <nop,nop,timestamp 2747936488 =20=

2946365534>
  IP (tos 0x0, ttl  59, id 31905, offset 0, flags [DF], proto: TCP =20
(6), length: 40) alge.anart.no.40283 > 213.225.74.230.http: R, cksum =20
0x7180 (correct), 1:1(0) ack 1 win 0

Results for port 8585:
  IP (tos 0x0, ttl  59, id 44156, offset 0, flags [DF], proto: TCP =20
(6), length: 64) alge.anart.no.1839 > 213.225.74.230.8585: S, cksum =20
0xf765 (correct), 1324215952:1324215952(0) win 16384 <mss =20
1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 4070158112 0>
  IP (tos 0x0, ttl  63, id 34488, offset 0, flags [DF], proto: TCP =20
(6), length: 40) 213.225.74.230.8585 > alge.anart.no.1839: R, cksum =20
0x52ef (correct), 0:0(0) ack 1324215953 win 0

I can't tell what's going on here, except I wouldn't have expected a =20
reply at all to the second one at least, and maybe not even the first. =20=

However, I don't have enough experience to tell if nmap is doing the =20
"right thing" here at all.

Thanks,
/Eirik=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?876D0973-A384-4567-8E61-771E96E8A65A>