Gentoo Archives: gentoo-security

From: Kim Ingemann <mail@×××××××××××.dk>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Fri, 09 Jan 2004 12:21:25
In Reply to: Re: [gentoo-security] firewall suggestions? by Sandino Araico Sanchez
On Fri, 2004-01-09 at 12:22, Sandino Araico Sanchez wrote:
> Kim Ingemann wrote: > > >I'm using portsentry and I can really recommend it. It can act as a trap > >for scanners because it binds itself to certain manually defined ports > >(that scanners usually scans). My setup says that if someone touches a > >couple of those ports in a short period of time it drops the connection > >to that IP directly and notifies me about it through my cellphone. > > > That kind of automatic policy is dangerous, you can unknowingly block > away whole cable ISPs in some cases and in other cases somebody can > manage to spoof some important IP addresses to make your server block > them away...
Yes, of course. But they will be removed from the firewall again later. It is simply to prevent any successful scan on a larger portrange. It's not like I'm not monitoring anything. As I wrote, I get notified by cellphone when anything happens. If it happens that any important IP address get blocked, I simple just remove it again at once. If I didn't use it, the kiddie will have a successful scan in a matter of seconds perhaps minutes. Most likely he/she will run different exploits on the open services to gain access to the machine. If any success, it could perhaps take two or three minutes to get root access to my machine, while I'm taking a piss or whatever, without me knowing anything about it. That could happen anyway without a scan, but I'm sure that a large amount of those kiddies are scanning the host to find open services before they try to exploit them. Having my cellphone beeping, there is sure any reason to go montior the system for any changes files or what so ever (I have scripts fo that) if I'm not currently active (like when sending mails to a mailinglist :o)).
> >This means that the attacker is already dropped before he/she have a > >chance to use some exploits of the services I'm running. > > > This means some script kiddies are blocked away, but it's useless > against (for example) somebody with an exploit for rsync scanning > exclusively the rsync port for vulnerable hosts.
Exactly as I mentioned below, yes.
> > Of course - If > >they're used before the scan takes place, then we have a little problem. > >But I guess it takes care of the most of them anyway.
-- Med venlig hilsen / Best regards, Kim Ingemann


File name MIME type
signature.asc application/pgp-signature