http://www.placenet.org/benoit/index.php/ fr Wed, 12 Nov 2008 14:03:18 +0100 http://blogs.law.harvard.edu/tech/rss Dotclear http://www.placenet.org/benoit/index.php/post/2007/09/10/loc-srv urn:md5:a7720603b6155abccdac86c28ee0961a Mon, 10 Sep 2007 22:44:00 +0200 Benoît Dejean iptableslinux <p>So this weekend, i used a DSL without any NAT, so my laptop was assigned a public IP by DHCP. My ulog log was spitting a lot, mainly on <code>tcp port loc-srv / 135</code>. Instead of sending REJECT, i opened my iptables and started the following ruby program to actually open all these connections. When someone sends me a SYN, I reply politely.</p> <pre> require 'socket' require 'etc' nobody = Etc.getpwnam('nobody') loc_srv = Socket::getservbyname('loc-srv') Dir.chroot('/var/run/empty') Dir.chdir('/') server = TCPServer.new(loc_srv) Process::UID.change_privilege(nobody.uid) print &lt;&lt;&quot;EOF&quot; uid/euid #{Process.uid}/#{Process.euid} chrooted in #{Dir.pwd} listening on address #{server.addr.inspect} EOF clients = [] loop do begin client = server.accept_nonblock rescue Errno::EAGAIN, Errno::ECONNABORTED, Errno::EPROTO, Errno::EINTR IO.select([server]) next end # remember client so the connection stays opened clients &lt;&lt; client print &quot;#{client.peeraddr.inspect} connected &quot; end </pre> <p>This script needs to be started with some privileges in order to bind on 135, but then it drops its priv and chroot to somewhere safe. That was very instructive, after ~10minutes, <code>ss | grep -c loc-srv</code> was reporting more than 280 connections from ~80 differents hosts.<br /></p> <p>What a storm. I'm definitely safe under my GNU+Linux umbrella <img src="/benoit/themes/default/smilies/smile.png" alt=":)" class="smiley" /><br /></p> <p>And Ruby is fun <img src="/benoit/themes/default/smilies/smile.png" alt=":)" class="smiley" /></p>