Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Kim Ingemann <mail@...>
Subject: Re: firewall suggestions?
Date: Fri, 09 Jan 2004 13:18:54 +0100
On Fri, 2004-01-09 at 12:22, Sandino Araico Sanchez wrote:
> Kim Ingemann wrote:
> 
> >I'm using portsentry and I can really recommend it. It can act as a trap
> >for scanners because it binds itself to certain manually defined ports
> >(that scanners usually scans). My setup says that if someone touches a
> >couple of those ports in a short period of time it drops the connection
> >to that IP directly and notifies me about it through my cellphone.
> >
> That kind of automatic policy is dangerous, you can unknowingly block 
> away whole cable ISPs in some cases and in other cases somebody can 
> manage to spoof some important IP addresses to make your server block 
> them away...

Yes, of course. But they will be removed from the firewall again later.
It is simply to prevent any successful scan on a larger portrange. It's
not like I'm not monitoring anything. As I wrote, I get notified by
cellphone when anything happens. If it happens that any important IP
address get blocked, I simple just remove it again at once.

If I didn't use it, the kiddie will have a successful scan in a matter
of seconds perhaps minutes. Most likely he/she will run different
exploits on the open services to gain access to the machine. If any
success, it could perhaps take two or three minutes to get root access
to my machine, while I'm taking a piss or whatever, without me knowing
anything about it.

That could happen anyway without a scan, but I'm sure that a large
amount of those kiddies are scanning the host to find open services
before they try to exploit them.

Having my cellphone beeping, there is sure any reason to go montior the
system for any changes files or what so ever (I have scripts fo that) if
I'm not currently active (like when sending mails to a mailinglist :o)).

> >This means that the attacker is already dropped before he/she have a
> >chance to use some exploits of the services I'm running.
> >
> This means some script kiddies are blocked away, but it's useless 
> against (for example) somebody with an exploit for rsync scanning 
> exclusively the rsync port for vulnerable hosts.

Exactly as I mentioned below, yes.

> > Of course - If
> >they're used before the scan takes place, then we have a little problem.
> >But I guess it takes care of the most of them anyway.

-- 
Med venlig hilsen / Best regards,

Kim Ingemann
http://pingvinland.dk/
Attachment:
signature.asc (This is a digitally signed message part)
References:
Re: firewall suggestions?
-- Oliver Schad
Re: firewall suggestions?
-- Thomas T. Veldhouse
Re: firewall suggestions?
-- Oliver Schad
Re: firewall suggestions?
-- Mark Hurst
Re: firewall suggestions?
-- Frank Gruellich
Re: firewall suggestions?
-- Mark Hurst
Re: firewall suggestions?
-- Kim Ingemann
Re: firewall suggestions?
-- Sandino Araico Sanchez
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
Re: OT: firewall suggestions?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.