1 |
Kim Ingemann wrote: |
2 |
|
3 |
>I'm using portsentry and I can really recommend it. It can act as a trap |
4 |
>for scanners because it binds itself to certain manually defined ports |
5 |
>(that scanners usually scans). My setup says that if someone touches a |
6 |
>couple of those ports in a short period of time it drops the connection |
7 |
>to that IP directly and notifies me about it through my cellphone. |
8 |
> |
9 |
That kind of automatic policy is dangerous, you can unknowingly block |
10 |
away whole cable ISPs in some cases and in other cases somebody can |
11 |
manage to spoof some important IP addresses to make your server block |
12 |
them away... |
13 |
|
14 |
>This means that the attacker is already dropped before he/she have a |
15 |
>chance to use some exploits of the services I'm running. |
16 |
> |
17 |
This means some script kiddies are blocked away, but it's useless |
18 |
against (for example) somebody with an exploit for rsync scanning |
19 |
exclusively the rsync port for vulnerable hosts. |
20 |
|
21 |
> Of course - If |
22 |
>they're used before the scan takes place, then we have a little problem. |
23 |
>But I guess it takes care of the most of them anyway. |
24 |
> |
25 |
> |
26 |
> |
27 |
|
28 |
-- |
29 |
Sandino Araico Sánchez |
30 |
-- Lo que no mata engorda. |
31 |
|
32 |
|
33 |
|
34 |
-- |
35 |
gentoo-security@g.o mailing list |