Bugtraq: Re: Livingston bugs...

[angio () aros net (Dave Andersen)]

Lo and behold, Jay 'Whip' Grizzard once said:

> I, personally, can't understand such a passive attitude on the part of
> Livingston -- I personally would call a bug where you can crash virtually
> anyone's network connection, from virtually anywhere in the world, to be
> a major bug. Maybe it's just me...
   Because there's an easy solution to it which you've mentioned below:

> ObBugTraq: Apparently (at least, under limited testing), putting up a filter
> to prevent folks from getting to your login port from the outside world
> will protect you -- Except I don't _want_ to have to start filtering things
> out, and in some circuimstances (backbone routers, etc), it's not exactly
> a viable option. Do YOU want to have the bandwith of several T1's all
> running through a filter before they get off the router? No, thanks...
   Not necessarily.  Setting up a really simple filter to disallow
telnets to the portmaster itself is a very trivial option, and has been
discussed at _great_ length with many examples on the portmaster-users
mailing list.  Something as simple as

----- Quote from Carl Rigney @ livingston -----
add filter notelnet.in
set filter notelnet.in 1 permit 192.168.2.0/24 192.168.2.2/32 tcp dst eq 23 log
set filter notelnet.in 2 deny 0.0.0.0/0 192.168.2.2/32 tcp dst eq 23 log
set filter notelnet.in 3 permit
set ether0 ifilter notelnet.in
save all

If you're having problems with your dial-in users doing this, you can
block that too by adding the following RADIUS attribute:

        Framed-Filter-Id = "notelnet"
------- end quote -----------

will solve that problem and any other possible "telnetting to the
portmaster and doing <blah blah blah>" problem.

    -Dave Andersen

--
angio () aros net                Complete virtual hosting and business-oriented
system administration         internet services.  (WWW, FTP, email)
http://www.aros.net/          http://www.aros.net/about/virtual/