Contributed by jose on from the hiding-yourself dept.
(Comments are closed)
OpenBSD Journal
Contributed by jose on from the hiding-yourself dept.
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By ben () on
ie:
# this makes p0f consider my OpenBSD 3.4 as a WinXP SP1 (32767:128:1:48:M1452,N,N,S:) (cf. /etc/pf.os)
# so don't do no-df dans pf.conf
net.inet.tcp.recvspace=32767
net.inet.tcp.sendspace=32767
net.inet.ip.ttl=142 # desired value +14 (here: 128+14)
those sysctl may have incluence, also:
net.inet.tcp.sack
net.inet.tcp.sack
net.inet.tcp.rfc1323
net.inet.ip.mtudisctimeout
changing max-mss with pf (ie: scrub out all max-mss 1450 for instance) defeat the p0f link detection.
you can check you're tweaks impact by visiting the p0f page there:
http://lcamtuf.coredump.cx/p0f-help/
of course, security through obscurity doesn't protect against good hackers but helps to avoid (the most common case of) script kiddies blindly scanning network range for some known exploitable hole with dumb scripts.
and the hard job comes when you try to mask services banners (apache, ssh ...).
Comments
By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/
BSD is dying, thank you.
By Anonymous Coward () on
BTW, where's you get the 128+14 values from? I assume you just double your stock ttyl size then added +14 from somewhere?
Comments
By Anonymous Coward () on
By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/
That's great. Then people will keep saying that the total number of servers running OpenBSD is near zero. Thanks for encouraging this.
Comments
By Wim () on
Oh wait, what if they all get rooted anyways?
By Chris () on
Comments
By Frank Denis () on
By Frank Denis () j@pureftpd.org on mailto:j@pureftpd.org
By Frank Denis () j@pureftpd.org on http://www.pureftpd.org/
I care that vendors don't care about OpenBSD. For instance I don't know of any vendor of backup software that supports OpenBSD.
Comments
By Luiz Gustavo () on
Keep in mind not everytime you need a full blow solution.
Unfortunally it can prolly keep you out from many enterprise weenies.
Comments
By Frank Denis () j@pureftpd.org on http://www.pureftpd.org/
But this is not something my pointy hairy boss would tolerate. Backups are critical, we must purchase an expensive solution, with commercial support, etc.
We finally bought Legato Networker. There's nothing but an old, totally unsupported FreeBSD client and absolutely nothing for OpenBSD. So we have to make backups through NFS...
Comments
By Luiz Gustavo () on
I only disagree if comercial support, unfortunally
I've only had bad support from big vendors and varied level from 3rd party ones.
Only this week I have seen my first AIX consultant with a clue, after five year working with it.
Yes I share the same pain.
By mr_scary () on
It is cool though.
Anyways, I asked Daniel Hartmeier (the creator of PF) on comp.unix.bsd.openbsd.misc this very question:
> a) Is it possible to thwart OS fingerprinting? If so, how?
Depends on what kind of fingerprinting. For netcraft, the following currently works
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all fragment reassemble
Then block by default with return-rst, creating state only on flags S/SA.
Your own outgoing TCP connections can be fingerprinted based on the various parameters in the TCP SYN, for instance changing
sysctl -w net.inet.tcp.recvspace=8192
sysctl -w net.inet.tcp.sendspace=8192
or other non-default values, will change the signature.
It will remain a race between detection and thwarting, there can't be a single 'thwart detection reliably for the next five years'
switch, you'll have to regularly check how new detection algorithms work, and adjust parameters appropriately. It might not be worth the effort.
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Michael () on http://e.molioner.dk/
``Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.''
Err, hallo? Should your users trust you if you are indeed running an unpatched machine?
I think not. You truly deserve any public mocking that will hopefully follow a disclosure of such neglect.
By Ken () on