| 1 |
On Fri, 2004-01-09 at 12:22, Sandino Araico Sanchez wrote: |
| 2 |
> Kim Ingemann wrote: |
| 3 |
> |
| 4 |
> >I'm using portsentry and I can really recommend it. It can act as a trap |
| 5 |
> >for scanners because it binds itself to certain manually defined ports |
| 6 |
> >(that scanners usually scans). My setup says that if someone touches a |
| 7 |
> >couple of those ports in a short period of time it drops the connection |
| 8 |
> >to that IP directly and notifies me about it through my cellphone. |
| 9 |
> > |
| 10 |
> That kind of automatic policy is dangerous, you can unknowingly block |
| 11 |
> away whole cable ISPs in some cases and in other cases somebody can |
| 12 |
> manage to spoof some important IP addresses to make your server block |
| 13 |
> them away... |
| 14 |
|
| 15 |
Yes, of course. But they will be removed from the firewall again later. |
| 16 |
It is simply to prevent any successful scan on a larger portrange. It's |
| 17 |
not like I'm not monitoring anything. As I wrote, I get notified by |
| 18 |
cellphone when anything happens. If it happens that any important IP |
| 19 |
address get blocked, I simple just remove it again at once. |
| 20 |
|
| 21 |
If I didn't use it, the kiddie will have a successful scan in a matter |
| 22 |
of seconds perhaps minutes. Most likely he/she will run different |
| 23 |
exploits on the open services to gain access to the machine. If any |
| 24 |
success, it could perhaps take two or three minutes to get root access |
| 25 |
to my machine, while I'm taking a piss or whatever, without me knowing |
| 26 |
anything about it. |
| 27 |
|
| 28 |
That could happen anyway without a scan, but I'm sure that a large |
| 29 |
amount of those kiddies are scanning the host to find open services |
| 30 |
before they try to exploit them. |
| 31 |
|
| 32 |
Having my cellphone beeping, there is sure any reason to go montior the |
| 33 |
system for any changes files or what so ever (I have scripts fo that) if |
| 34 |
I'm not currently active (like when sending mails to a mailinglist :o)). |
| 35 |
|
| 36 |
> >This means that the attacker is already dropped before he/she have a |
| 37 |
> >chance to use some exploits of the services I'm running. |
| 38 |
> > |
| 39 |
> This means some script kiddies are blocked away, but it's useless |
| 40 |
> against (for example) somebody with an exploit for rsync scanning |
| 41 |
> exclusively the rsync port for vulnerable hosts. |
| 42 |
|
| 43 |
Exactly as I mentioned below, yes. |
| 44 |
|
| 45 |
> > Of course - If |
| 46 |
> >they're used before the scan takes place, then we have a little problem. |
| 47 |
> >But I guess it takes care of the most of them anyway. |
| 48 |
|
| 49 |
-- |
| 50 |
Med venlig hilsen / Best regards, |
| 51 |
|
| 52 |
Kim Ingemann |
| 53 |
http://pingvinland.dk/ |
Archives