You are not logged in.

#1 2004-09-30 22:52:18

skoal
Member
From: Frequent Flyer Underworld
Registered: 2004-03-23
Posts: 612
Website

Any 1337 /^ Ha+0r5 out there?

Any "leet arch haxors" out there?  I need some 411...

My ISP is on a "need to know" basis.  If I think he needs to know, I'll let him know...and he don't.

Basically, I'm running a few servers off my machine.  Obviously, most ISP admins will close down well known ports for people like me, so as not to abuse the terms of service.  What I'm doing is innocent enough.  I'm running a Web Server, Email Server, and occasional other stuff.  All for the benefit of remote communication while I'm away on business.

* Help point me in the right direction.  I'll give you an example with just Apache, and I'll use your good advice for the rest of my servers.

OVERVIEW
-------------

1. Like I said, I'm using these servers very, very modestly.  So, at best, the ISP won't turn his keene eye at my IP , because of my bandwidth usage.  If that's the case, nothing more is really necessary.

2. Currently, my ISP does not have well known service ports like 80, 21, 23, or even some of the more common P2P clients like Gnutella and BitTorrent blocked.

3. Since these ports are not blocked, just to keep my ISP's attention elsewhere, I'm using WebHop (through dyndns.org service) to redirect any http requests to port 9019.

4. I've checked a few "unassigned" ports (from the IANA list) like 9019 against well known ports (in another list) used commonly by trojans and such.  Since I picked a port like this, hopefully it won't send up any red flags to my ISP as well.  Redirecting http requests to the alternate 8080 would seem an obvious check to any seasoned ISP admin.  So, I avoided using something like that for my port redirect.

THE MEAT OF THE MATTER
-------------------------------

5. When I fire up Apache using this port 9019, I can run a port scan on my machine and it returns:

nmap -sT -p 9019 morpheus

Interesting ports on localhost.localdomain (127.0.0.1):
PORT     STATE SERVICE
9019/tcp open  unknown

** But, if If I try a little harder (using nmap), I get the following:

nmap -sT -p 9019 -sV morpheus

Interesting ports on localhost.localdomain (127.0.0.1):
PORT     STATE SERVICE VERSION
9019/tcp open  http    Apache httpd

*** OOPS! You see my problem...

6. I want to hide a port scan from returning such information, or better yet, return back something which it isn't.  Which would be nice to do anyway to hide that from non-ISP prying eyes running port scans on my domain or outside of it.

7. I guess I'm easily busted anyway if the ISP just types in my IP:9019 as the URL in a browser.

8. Any way to tell Apache to spew something else back from a direct IP:PORT request?  I don't know if in the application layer Apache would even have that TCP/IP stack stuff.  If it does, I would like Apache to ignore all those type requests and allow all others with normal referrers who went through a DNS server first.

9. All this is moot anyway, if he wants to take the time to decode a stream of packets coming from my IP.  Not much you can do against that I guess.

CONCLUSION
----------------

I hope you understand what I'm basically asking to do.  If I can just hide my http server as best I can, I can handle all other remote services I need through it, and make due without the others that I can't.

I don't want to (or remotely chance) the possibility of losing my privileges on an OC-3 backbone from my ISP.  And, I believe everything in life should be free, so paying for anything as an alternative is not an option.

Any help/advice is appreciated.

Offline

#2 2004-09-30 23:20:09

phrakture
Arch Overlord
From: behind you
Registered: 2003-10-29
Posts: 7,879
Website

Re: Any 1337 /^ Ha+0r5 out there?

the only thing I can say right now is check the apache docs.... also take a look at thttp (tiny http) and maybe some others... if all else fails you could internally forward the port on your own machine to try and confuse it...

i.e. when a request comes in on 9019 simply pass it on to... say port 45678
this would involve some crap I'm not familiar with, but it should be able to be done - if all else fails I could seriously hack up a program to do just this in like an hour....

Offline

#3 2004-10-27 12:50:57

Michel
Member
From: Belgium
Registered: 2004-07-31
Posts: 286

Re: Any 1337 /^ Ha+0r5 out there?

I'm no expert .. but I suppose you can always check what kinf of service is running by the type or response you get from the server ... but maybe not easy.

Some things I can think of:

1) portknocker ... but don't know how save it is to use portknocker
2) vpn : so you can access the services you want
3) It's possuibel that users have to authenticate themselves to the firewall, before anything is allowed ... but Idon't know if this is also true/safe for remote authentications ... but I suppose it's something like a vpn, but not so safe maybe ?

Offline

#4 2004-10-27 13:15:22

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: Any 1337 /^ Ha+0r5 out there?

Just use https instead of http for all your sites, then they first need to make a ssl connection before they see any http. Decoding a stream of packets will only reveal that it's a ssl connection, which can be anything.

What are the terms of service? If you aren't allowed to run any server, then it's very easy for the ISP to enforce that, and trying to hide in some high numbered port is useless. But it seems running a server is allowed, so what's the big deal?

Offline

#5 2004-10-27 20:52:23

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Any 1337 /^ Ha+0r5 out there?

#This directive controls whether Server response header field which is
#sent back to clients includes a description of the generic OS-type of the
#server as well as information about compiled-in modules.

#ServerTokens Prod[uctOnly] only available in versions later than 1.3.12
#    Server sends (e.g.): Server: Apache
#ServerTokens Min[imal]
#    Server sends (e.g.): Server: Apache/1.3.0
#ServerTokens OS
#    Server sends (e.g.): Server: Apache/1.3.0 (Unix)
#ServerTokens Full (or not specified)
#    Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2
ServerTokens Prod


I don't know if this can be set to off. I always set it to Prod, and that was good enough for me. I think you would have to hack the source to get this to not show anything...

As for your isp port scanning you. I would read carefully my terms of service. I don't know the legality of an isp port scanning their customers.
If they do, then they cannot rightly claim common carrier status (ie. they only provide the pipe, and don't know what their customers do with it). If that were the case, then they could be sued for every instance of someone doing something bad originating FROM their network. I don't know any isp that wants that to happen.

I wouldn't worry about them portscanning you. The fact that you are using non-standard ports should be enough.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

Board footer

Powered by FluxBB