On Sun, 12 Mar 2000, Paul Tan wrote:
> just wondering, is it possible to stop port scans, log them, as well as
>configure IPchains to deny access from that particular IP address who is scanning for
>a period of time.
1. Stopping port scans.
The only way to do anything useful is to send back enough data to make the
scan useless. I don't know about IPChains, but IPFilter has some
interesting things like return-rst for doing such.
2. Logging port scans is possible, but IMNSHO fairly fruitless unless
you're willing to dedicate a significant machine with a great deal of disk
space to the task. In that case, a better course would be to buy an IDS
box and gain more information and better accounting.
3. Blocking scanners tends to make the scanners start to spoof the source
addresses so that you inadvertantly block access to legitimate servers.
Anyone who's doing auto-blocking is opening themselves up for
self-directed DoS attacks in same way or another.
<Soapbox>
If scanners worry you, you're not doing the right stuff for your hosts or
networks. If you don't have a concrete idea of *exactly* what packets
(including spoofed packets, fragments, bad packets, etc.) can pass your
outside screen, it's time to go back and reengineer your perimeter. If
you have to allow an unmanageable ammount of traffic in and out of your
networks, it's time to have another look at the assumptions used to allow
Internet access from your site. If your hosts have predictable sequence
numbers, it's time to upgrade the OS or switch vendors. None of the
non-DoS threats out there are significantly difficult to protect from
given the correct architecture, configuration and information.
</soapbox>
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
