On 16/06/17 23:57, javier perez wrote:
They could open just a range of 5 dinamic ports and monitor them
intensively...
I take it by "they" you mean the passive attacker? the server may open
any of (2^N) * (2^15) ports, where N is the number of IPs assigned to
the server both IPv4 and IPv6. A range of 5 has very miniscule
probability of success.
My point was that "for security" is bogus. In the end neither mode is
actually "secure" because the CTRL channel leaks like a seive.
The reasons for choosing one over the other are solely about whether
your network design and that of all networks your clients traffic goes
through allow that mode to work properly. NAT and similar things
existing all over the place nowdays invariably means passive mode is the
only way to get working FTP connections, so even lazyness is
self-inflicted pain.
Hello Matus,
You are right, the thing is that our clients are not going to open any
other port than 20 and 21 for security meassures (or lazyness).
FYI: The "for security" argument is bogus because;
a) allowing any random client to determine their own arbitrary port
number(s) is strictly worse for security than having your control point
(Squid) select the port, and
b) limiting that client-selected port to 20/21 makes the data between client
and Squid go over a port which is more easily predicted and therefore
interceptable by passive attack.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
