"Kevin D" <[EMAIL PROTECTED]> wrote: > And then when the hacker does a decoy scan you get hundreds of innocent ips > blocked from your server. And hey, if the hacker discovers what you're > doing, he can just send more decoys until your server is pretty much shut > down to the outside world, until the rules get flushed in 2-3 days.
Maybe I should disconnect all my servers and recommend my clients do the same. :-) You do have a valid point though. Sure, there's a chance someone may attempt some sort of DOS attack or something else that can be a pain. And that kind of thing shouldn't be overlooked. But in my experience, by far the greatest risk is from script kiddies and other low level crackers. In general, they're not targeting a specific box, they're running software which scans many machines looking for exploitable systems. IMO, if your box becomes a less desirable target because it's more secure than other boxes and/or it appears not to exist because a port scan was recognized, it's no longer as desirable a target. Of course, a tool like PortSentry is just a small part of a good security arsenal, but I think it's a tool that has value. > If you're really lucky, one of the decoys he uses will be the one you > connect from to admin the server :) I'm more worried about locking myself out because of something stupid I do. Like having a typo in my IPCHAINS rules and blocking all traffic internal to the box. Not that I did that a few days ago. <g> But seriously, even if a DOS attack like the one you describe occurs you should have options. Like a reboot. Hopefully you have physical access to the server or can make a call to someone who does. Of course, if your most recent IPCHAINS rules are loaded on reboot you'd really need physical access to boot via the serial port. In any case, I prefer to setup IPCHAINS with several trusted IPs so it's harder to get locked out. And on a number of servers I have setup a special email address piping to a CGI script so I can fire off commands that get executed via the shell (there is security built into it) and have a secure webpage where I can do the same. Fun stuff. -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
