On Wed, 25 Jul 2001 13:38:19 EDT, Jason Healy writes: <DENY vs. REJECT> >The other problem is that if you DENY certain oft-used services, you >can cause problems. For example, if you DENY on the ident service >port, machines trying to connect to you will timeout waiting for ident >info. Some mail servers try to connect back to the ident port on a >client before accepting mail. If your machine DENYs ident requests, >it will have to wait for that timeout to occur before sending mail. > >Moral of that story is to make sure that you either run an ident >server, or set it to REJECT.
Well, I wouldn´t (and don´t) run identd, since I have no intention of
revealing the name of the user running a particular service (in
general this will be either your login-name or root), but there are
some interesting other options:
- accept connections to services like ident (or finger or..) but just
return random garbage. One option for this is via inetd:
- ident stream tcp nowait nobody /bin/dd dd if=/dev/urandom bs=64 \
count=1
- or, for ident specifically, use fakeidentd (see freshmeat.net,
excellent software).
Of course, you would want to log such connections via the
kernel-firewall, just so you´ll now what´s going on.
cheers,
&rw
--
-- Renting airplanes is like renting sex: It's difficult to arrange
-- on short notice on Saturday, the fun things always cost more, and
-- someone's always looking at their watch. - Paul Tomblin, asr
----
pgpLEXtriZR2R.pgp
Description: PGP signature
