Gentoo Archives: gentoo-security

From: Sandino Araico Sanchez <sandino@×××××××.net>
To: Kim Ingemann <mail@×××××××××××.dk>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Fri, 09 Jan 2004 11:10:29
In Reply to: Re: [gentoo-security] firewall suggestions? by Kim Ingemann
Kim Ingemann wrote:

>I'm using portsentry and I can really recommend it. It can act as a trap >for scanners because it binds itself to certain manually defined ports >(that scanners usually scans). My setup says that if someone touches a >couple of those ports in a short period of time it drops the connection >to that IP directly and notifies me about it through my cellphone. >
That kind of automatic policy is dangerous, you can unknowingly block away whole cable ISPs in some cases and in other cases somebody can manage to spoof some important IP addresses to make your server block them away...
>This means that the attacker is already dropped before he/she have a >chance to use some exploits of the services I'm running. >
This means some script kiddies are blocked away, but it's useless against (for example) somebody with an exploit for rsync scanning exclusively the rsync port for vulnerable hosts.
> Of course - If >they're used before the scan takes place, then we have a little problem. >But I guess it takes care of the most of them anyway. > > >
-- Sandino Araico Sánchez -- Lo que no mata engorda. -- gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] firewall suggestions? Kim Ingemann <mail@×××××××××××.dk>