[linux-security] Re: portmap vulnerability?

[cfb <cfb ocn21 kdd-ok ne jp>]

Matt wrote:
> 
> In mail.linux.security Tony Nugent <Tony Nugent usq edu au> wrote:
> : To make this post worthwhile, where is a snippit out of my own
> : /etc/hosts.deny file...
> 
> : " | /bin/mail -s "$(uname -n) wrappers\: %d refused for %c" \
> : root localhost ) &
> 
> It was very tempting send a pile of spoofed packets into your network to
> generate a huge load of email, filling up your mail spool and generating a
> nice load on your system. :)
> 
> As tempting as this type of logging usually is, perhaps you want to dump
> it to a file, instead of having every connection attempted emailed to you,
> generating a handful of proccesses while it does so.

How many processes does something like ssmtp kick off?  Not enough to be
significant, plus you won't risk having your filesystem fill up.  Just
from some informal observation of rules appending echoed wrapper
parameters to a log file and ssmtp, I found ssmtp to actually be much
faster and use fewer system resources (this is purely anecdotal, though
and may have been due to some defective structured spawns, as I had
started playing around with hosts.allow/deny at the time).   As a
general rule of thumb, I would never run a heavy duty MTA/MDA on machine
responsible for core services or any aspect of security in general.  Not
happy?  Rate limit connections or write some back-off code for ssmtp
(how hard could it be?; famous last words, eh?).
 
> [mod: Some remarked that things like "%u" are "client controlled" and
> could be used to exploit Tony's system. The manual however claims:
>       Characters in % expansions that may confuse the shell
>       are replaced by underscores.
> so that should be OK. -- REW]

I like to use queso to do reactive probing (yes, I suppose this could be
used against other networks by a third party... but if anyone is at the
wheel on the other network, this sets of a whole other set of human
bells and whistles).  It would be very nice to have a %p (for whichever
port the connection was initiated at) available in the wrapper package
so that I don't have to break out each and every service in a separate
hosts.allow/deny match and generalize rules for services I don't run by
using 113 (ident/auth)... or did I just miss something in the man page? 
Might this be a handy way to detect port scans or spoofed packets (if
connections are being initiated at ports that don't respond/handshake,
what else could it be (disregarding udp, of course)?)?  Maybe that's a
bit beyond the current scope of wrappers, but it would be nice.  Oh
well, more work for someone else...