1 |
On Fri, 2004-01-09 at 12:22, Sandino Araico Sanchez wrote: |
2 |
> Kim Ingemann wrote: |
3 |
> |
4 |
> >I'm using portsentry and I can really recommend it. It can act as a trap |
5 |
> >for scanners because it binds itself to certain manually defined ports |
6 |
> >(that scanners usually scans). My setup says that if someone touches a |
7 |
> >couple of those ports in a short period of time it drops the connection |
8 |
> >to that IP directly and notifies me about it through my cellphone. |
9 |
> > |
10 |
> That kind of automatic policy is dangerous, you can unknowingly block |
11 |
> away whole cable ISPs in some cases and in other cases somebody can |
12 |
> manage to spoof some important IP addresses to make your server block |
13 |
> them away... |
14 |
|
15 |
Yes, of course. But they will be removed from the firewall again later. |
16 |
It is simply to prevent any successful scan on a larger portrange. It's |
17 |
not like I'm not monitoring anything. As I wrote, I get notified by |
18 |
cellphone when anything happens. If it happens that any important IP |
19 |
address get blocked, I simple just remove it again at once. |
20 |
|
21 |
If I didn't use it, the kiddie will have a successful scan in a matter |
22 |
of seconds perhaps minutes. Most likely he/she will run different |
23 |
exploits on the open services to gain access to the machine. If any |
24 |
success, it could perhaps take two or three minutes to get root access |
25 |
to my machine, while I'm taking a piss or whatever, without me knowing |
26 |
anything about it. |
27 |
|
28 |
That could happen anyway without a scan, but I'm sure that a large |
29 |
amount of those kiddies are scanning the host to find open services |
30 |
before they try to exploit them. |
31 |
|
32 |
Having my cellphone beeping, there is sure any reason to go montior the |
33 |
system for any changes files or what so ever (I have scripts fo that) if |
34 |
I'm not currently active (like when sending mails to a mailinglist :o)). |
35 |
|
36 |
> >This means that the attacker is already dropped before he/she have a |
37 |
> >chance to use some exploits of the services I'm running. |
38 |
> > |
39 |
> This means some script kiddies are blocked away, but it's useless |
40 |
> against (for example) somebody with an exploit for rsync scanning |
41 |
> exclusively the rsync port for vulnerable hosts. |
42 |
|
43 |
Exactly as I mentioned below, yes. |
44 |
|
45 |
> > Of course - If |
46 |
> >they're used before the scan takes place, then we have a little problem. |
47 |
> >But I guess it takes care of the most of them anyway. |
48 |
|
49 |
-- |
50 |
Med venlig hilsen / Best regards, |
51 |
|
52 |
Kim Ingemann |
53 |
http://pingvinland.dk/ |