ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000239ClearOSdeprecated - ClearOS 5 Protocol Filterpublic2011-02-18 15:062012-04-18 19:39
Reportertherevmj 
Assigned Todsokoloski 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version5.2-SP1 
Target VersionFixed in Version6.2.0 Beta 2 
Summary0000239: blocking finger protocol is overly aggressive
DescriptionIf you enable blocking of the finger protocol, many other protocols are also blocked.
Steps To Reproduce
Additional InformationThe pattern used for blocking the finger protocol (found in /etc/l7-filter/protocols/protocols/finger.pat) is:
   ^[a-z][a-z0-9\-_]+|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory:

The exceedingly problematic portion is:
    ^[a-z][a-z0-9\-_]+

Given the fact that the l7 filters are case insensitive, this meas that any protocal that sends packets that start out with a letter followed by at least one letter, number, -, or _ will match.

I can only say for certain that http traffic is blocked when this rule is enabled, others should be affected as well (ssh because the banner starts out with 'SSH').

This rule either needs to be restricted to the default finger port of 79, or the pattern needs to be modified such that it does not block http and ssh protocols.

Unfortunately, I am not familiar enough with the finger protocol to provide any recommendations in regards to possible pattern modifications.
TagsNo tags attached.
Relationships
Attached Filestxt finger.txt (1,891) 2011-10-27 15:03
https://tracker.clearos.com/file_download.php?file_id=16&type=bug
Issue History
Date ModifiedUsernameFieldChange
2011-02-18 15:06therevmjNew Issue
2011-03-02 15:45user2Statusnew => confirmed
2011-10-24 14:27user2Statusconfirmed => assigned
2011-10-24 14:27user2Assigned To => dsokoloski
2011-10-27 15:03dsokoloskiFile Added: finger.txt
2011-10-27 15:10dsokoloskiNote Added: 0000384
2011-10-27 15:11dsokoloskiStatusassigned => resolved
2011-10-27 15:11dsokoloskiResolutionopen => fixed
2011-10-27 15:11dsokoloskiFixed in Version => 6.1 Beta 2
2012-04-18 19:39user2Statusresolved => closed
2018-01-15 16:31user2Categoryapp-protocol-filter - Protocol Filter Manager => app-protocol-filter - ClearOS 5
2018-01-15 16:32user2Categoryapp-protocol-filter - ClearOS 5 => deprecated - ClearOS 5 Protocol Filter

Notes
(0000384)
dsokoloski   
2011-10-27 15:10   
Unfortunately l7-filter does not combine content matching with protocol details such as source or destination address/port. The finger protocol pattern is already listed as under and over-matching. Due to the nature of the protocol (See http://tools.ietf.org/html/rfc1288 [^]), there is no easy way to block this protocol using pattern matching. It's recommended to add a blocking firewall rule for TCP traffic on port 79 rather than use this pattern.

However, I have updated the pattern to also require a match on 0x0d 0x0a at the end of the login name. This will improve the accuracy slightly and reduce over-matches for some protocols (SSH, HTTP headers), but will still over-match for any string that contains a-z + a-z0-9-_ and ends with CRLF.