Login or Register to Ask a Question and Join Our Community


Cybersecurity

time to live

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity time to live
# 1  
Old 06-20-2005
Question time to live
i wondering about the ttl for the sshd on solaris 9 ... i read that you can change it to a different value to fool some OS "fingerprinting" tools such as queso or nmap. the default value is 255, i've tried to set it to 155 and 55 but nmap still see that port 22 is opend. do you know something about that?

Code:
root@xxx # uname -a
SunOS xxx 5.9 Generic_118558-06 sun4u sparc SUNW,Ultra-1
root@xxx # ndd -get /dev/ip ip_def_ttl
255
root@xxx # ndd -set /dev/ip ip_def_ttl 55
root@xxx # ndd -get /dev/ip ip_def_ttl
55
BUT still:
pressytest@gentoo ~ # nmap -v 192.168.133.122

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-20 19:48 MEST
Initiating SYN Stealth Scan against 192.168.133.122 [1663 ports] at 19:48
Discovered open port 22/tcp on 192.168.133.122
Increasing send delay for 192.168.133.122 from 0 to 5 due to 18 out of 58 dropped probes since last increase.
Increasing send delay for 192.168.133.122 from 5 to 10 due to max_successful_tryno increase to 4
Increasing send delay for 192.168.133.122 from 10 to 20 due to max_successful_tryno increase to 5
The SYN Stealth Scan took 44.66s to scan 1663 total ports.
Host 192.168.133.122 appears to be up ... good.
Interesting ports on 192.168.133.122:
(The 1662 ports scanned but not shown below are in state: closed)
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 08:00:20:xx:xx:xx (SUN Microsystems)

Nmap finished: 1 IP address (1 host up) scanned in 44.997 seconds
               Raw packets sent: 1984 (79.3KB) | Rcvd: 1664 (76.5KB)
pressytest@gentoo ~ #

??? what would be a good value to prevent "easy&fast" remote portscanners to see it and make it "invisible"? Smilie

greetings PRESSY
# 2  
Old 06-20-2005
The idea with fingerprinting is that you know an ip address that seems to be a computer. Now you want to know the brand (Solaris, HP-UX, AIX, etc). Once you know that it is, say, a Solaris box, you then try known Solaris weaknesses. Since, by default, Solaris uses 255 as a TTL, if you see a TTL of 255, it might be Solaris. The trouble is that 255 is the max for TTL, and in the 90's a few OS's got burned with TTL's that were too small. My impression is that most vendors cranked TTL up to the max. If you really feel the need to fiddle with TTL, keep it high. 155 is not too bad. You might regret 55 though.

Changing the TTL is not going to close a port. You're trying to make them think you have a Linix box or something. That way they spend all the time hitting you with Linux attacks rather than Solaris attacks.

This is a bunch of jive if you ask me. Keep your Solaris box well patched and then you should not care if the bad guys know it's Solaris. Security by obscurity does not work. But here is a another opinion.
# 3  
Old 06-21-2005
thx mate, got it. i read through the link that's a good explanation. i see that it makes no seens on my configuration because:
Code:
pressytest@gentoo ~ # telnet 192.168.133.122 22
Trying 192.168.133.122...
Connected to 192.168.133.122.
Escape character is '^]'.
SSH-2.0-Sun_SSH_1.0.1
exit
Connection closed by foreign host.
pressytest@gentoo ~ # 

AND:

MAC Address: 08:00:20:xx:xx:xx (SUN Microsystems)

would have to change my ssh server to openssh and make a dummy MAC for an other vendor. true, should work fine with a patched system.
thanks again
greetings PRESSY
# 4  
Old 06-23-2005
Another way
Hi there,
There is another good and fun way to hide any particular services on your box, you may take a look at this portknocking.org, any port scanner is useless against this new "kind of connecting"

Cheers,
Login or Register to Ask a Question

Previous Thread | Next Thread

7 More Discussions You Might Find Interesting

1. What is on Your Mind?

Update: UserCP Screeching Frog 0.7641 - Changed Live Chat to Live Updates

Update: UserCP Screeching Frog 0.7641 - Changed Live Chat to Live Updates In this version of the UserCP, I have changed "Live Chat" to "Live Updates" by disabling the ability to post in the "live chat" area and changed the name to "Live Updates" The reason for this change is that experienced... (6 Replies)
Discussion started by: Neo
6 Replies

2. Solaris

modifying date and time and time zone on solaris 5.10 with (redundant server) veritas

I have a cluster of two Solaris server (veritas cluster). one working and the other is standby I am going to change the date on them , and am looking for a secure solution as it is giving an important service. my opinion is that the active one doesn't need to be restarted (if I don't change the... (1 Reply)
Discussion started by: barry1946
1 Replies

3. UNIX for Dummies Questions & Answers

Live/real-time text-file updates in terminal

I want to have a terminal open and have something like a "repeating cat" command running in it for a certain text file (in particular /var/log/system.log). So my terminal will scan or cat the text file every so often or whenever the text file system.log gets written to by the system, it will... (1 Reply)
Discussion started by: guitarscn
1 Replies

4. Shell Programming and Scripting

Convert Epoch Time to Standard Date and Time & Vice Versa

Hi guys, I know that this topic has been discuss numerous times, and I have search the net and this forum for it. However, non able to address the problem I faced so far. I am on Solaris Platform and unable to install additional packages like the GNU date and gawk to make use of their... (5 Replies)
Discussion started by: DrivesMeCrazy
5 Replies

5. Linux

Process time-to-live setting

I have a cron job scheduled to run every 5 mins, and run a php script. Something was not right about the script and when I checked the server had very little spare memory. Looked in running processes and I could see that many instances of the script were still running. I am new to this whole... (1 Reply)
Discussion started by: edzillion
1 Replies

6. Shell Programming and Scripting

Piped open not real-time - How would one handle live data?

When I run "/etc/myApp" I am presented with continuous output, just about once per second. However when I try to get the information in Perl via a piped open, it waits till the end to give me anything... my code: open (OUTPUT,"/etc/myApp |"); while (<OUTPUT>){ print $_; }... (2 Replies)
Discussion started by: jjinno
2 Replies

7. UNIX for Advanced & Expert Users

How To Provide Time Sync Using Nts-150 Time Server On Unix Network?

can anybody tel lme,how to instal NTS -150 on a unix network,it needs some patch to fetch time frm serve,,?? (2 Replies)
Discussion started by: pesty
2 Replies
Login or Register to Ask a Question