> > > but I run different ftp server.
> >
> > So fix your ftp server. You don't need to go hacking on the kernel for this.
> > Passive port ranges are an old old trick.
>
> Yes. Please don't play with the kernel. Their are alot of nice programs
> out their for this. Xinetd, tcpwrappers etc. If you really want to make
> your site secure I recommand the new book out "Maximum Linux Security: A
> Hacker's Guide to Protecting Your Linux Server and Workstation" by
> SAM. Its a really good book.
Ok, thanks for the hint, but I think that Xinetd/tcpwrappers offer a
different type of protecion than I wanted to. What I wanted to do is to
disable ALL incoming connection higher than 1024 (i.e. drop the packets
with SYN set/ACK cleared) and only allow passive ftp. Considering that
the patch adds rules directly through the kernel, I could lock the
ipchains rules themselves with a module from LIDS so they could not be
modified from anything but the boot scripts. This would be helpful in
prevention of backdoors, trojans etc. Quite possibly this may not work
however as I dont know how LIDS works exactly and have no knowledge of
the kernel source.
This kind of filtering is present in modern stateful firewalls so I
didn't think that it was something special.
Anyway, I think I will change the ftp server then - to establish
connections only on a limited range of ports.
Thanks for the replies,
Vladimir
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/