have you written a book? you write like an author. - I'd read it ----- Original Message ----- From: "Eliah Kagan" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Thursday, December 07, 2006 12:20 AM Subject: Re: [Full-disclosure] Hail list!
> On 12/6/06, aNub15 wrote: >> 2. Looking for a low footprint windows firewall that's only supposed to >> do >> one thing. If someone hits port 110, block the I.P for a week? (should >> take >> care of most portscanners (skiddies)). And no I'm not worried about >> blocking >> real users on the box. > > Has it occurred to you that someone could send spoofed SYN packets > with port 110 as the destination, and any IP as the source? Maybe you > should worry about blocking real users after all. If there is an IP > range where you know you have no legitimate users, you should instead > block that IP range. Any IP range where you might have legitimate > users is a range that someone could deny access to easily. Except > actually it would be you denying access to them--a person attacking > you in that way would would likely not even be legally responsible > (but I am not a lawyer). > > Also, why would that prevent access by most people scanning your > ports? Suppose someone is scanning your entire subnet, for instance, > but only on port 22. Or someone could scan lots of ports on your box, > and notice that plenty were open until 110 was probed. This person > could then think one of three things: > > (1) Hmm, I guess that's all the ports open on that box. > (2) Hmm, lots of ports open, and then I scan port 110, and the rest > are all closed/filtered. (This is specially likely if it is the > person's *second* scan.) There must be something nice and juicy on > that box. I will scan the rest of the ports from another IP and then > penetrate any service I can and find out why such a strange measure of > pseudo-security is in place. > (3) Hmm, I was reading Full Disclosure recently and somebody was > asking about how to blacklist IPs for a week that send traffic to port > 110. I bet this is the box of the guy who wanted to know how to do it. > Let's find out why he wanted to do that... > >> www.supernoia.com > > Script kiddies and anybody else who likes portscanning thank you for > the heads up. If you are going to implement this almost certainly bad > idea--and it is for that server--you may wish to at least make it a > different port. > > -Eliah > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
