List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Fri, 2004-01-09 at 12:22, Sandino Araico Sanchez wrote:
> Kim Ingemann wrote:
> >I'm using portsentry and I can really recommend it. It can act as a trap
> >for scanners because it binds itself to certain manually defined ports
> >(that scanners usually scans). My setup says that if someone touches a
> >couple of those ports in a short period of time it drops the connection
> >to that IP directly and notifies me about it through my cellphone.
> That kind of automatic policy is dangerous, you can unknowingly block
> away whole cable ISPs in some cases and in other cases somebody can
> manage to spoof some important IP addresses to make your server block
> them away...
Yes, of course. But they will be removed from the firewall again later.
It is simply to prevent any successful scan on a larger portrange. It's
not like I'm not monitoring anything. As I wrote, I get notified by
cellphone when anything happens. If it happens that any important IP
address get blocked, I simple just remove it again at once.
If I didn't use it, the kiddie will have a successful scan in a matter
of seconds perhaps minutes. Most likely he/she will run different
exploits on the open services to gain access to the machine. If any
success, it could perhaps take two or three minutes to get root access
to my machine, while I'm taking a piss or whatever, without me knowing
anything about it.
That could happen anyway without a scan, but I'm sure that a large
amount of those kiddies are scanning the host to find open services
before they try to exploit them.
Having my cellphone beeping, there is sure any reason to go montior the
system for any changes files or what so ever (I have scripts fo that) if
I'm not currently active (like when sending mails to a mailinglist :o)).
> >This means that the attacker is already dropped before he/she have a
> >chance to use some exploits of the services I'm running.
> This means some script kiddies are blocked away, but it's useless
> against (for example) somebody with an exploit for rsync scanning
> exclusively the rsync port for vulnerable hosts.
Exactly as I mentioned below, yes.
> > Of course - If
> >they're used before the scan takes place, then we have a little problem.
> >But I guess it takes care of the most of them anyway.
Med venlig hilsen / Best regards,
signature.asc (This is a digitally signed message part)