socket security
Gerhard Häring
gh_pythonlist at gmx.de
Sun Apr 7 13:32:03 EDT 2002
* Jon Ribbens <jon+usenet at unequivocal.co.uk> [2002-04-07 03:08 -0000]:
> In article <40sr8.3765$rg3.345703 at news-binary.blueyonder.co.uk>,
> Alastair Nicol wrote:
> > 1) Can only hosts which can see the interface your program is bound to
> > communicate with your program. In the "normal" case if you bind to
> > 127.0.0.1 for example ONLY your machine can see that interface. Other
> > machines cannot connect to it. Is this a safe / secure assumtion? (not just
> > for localhost)
>
> No. Other machines on your local net can talk to your localhost by
> sending ethernet packets with your machine's MAC address and 127.0.0.1
> as the IP address.
Which you can fight by activating route verification on your OS.
If your OS doesn't have builtin route verification, you should set up
packet filtering rules to deny packets with obviously spoofed addresses,
like non-local packets coming in from elsewhere than the loopback
interface. Or packets that pretend to come from the internal network,
but come in thru the device that's connected to the Evil Internet [tm].
On Linux, enabling CONFIG_IP_ADVANCED_ROUTER and exuting this on bootup
does the job already:
# Route verification (fight IP spoofing)
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
Gerhard
--
This sig powered by Python!
Außentemperatur in München: 7.2 °C Wind: 4.2 m/s
More information about the Python-list
mailing list