Hi Suresh,
Interesting post. My comments under.
>>>>> "Suresh" == Suresh Ramasubramanian <[EMAIL PROTECTED]> writes:
Suresh> Mukund Deshmukh saw fit to inform LI that:
>> 1. nmap - a port scanner, which can be rarely detected by an
>> average admin as it uses half syn attack on server.
Suresh> Right - but run a good firewall, and tripwire. These can
Suresh> be configured to recognize portscans such as nmap etc
Suresh> _and_ fire off an automatic mail to the ip block's ARIN
Suresh> contact, reporting a portscan.
Sorry, tripwire is for checking integrity of system files, and anyway
newer versions are commercial now. There is a free clone being
developed. What you're looking for, however, is portsentry, which
recognises portscans and blocks offenders.
Suresh> Minimize the services you run on your server, and don't
Suresh> leave open ports.
Question: if I block off portmapper, or switch it off, what do I lose?
Suresh> Ditch telnet and run only ssh on your server.
That's #1 on my list.
>> 3. hping - The ping utility which can ping with lots of variety
>> including "death of ping"
Suresh> Ever heard of ICMP, SYN etc packet filtering? Helps a
Suresh> lot.
Run tcplog, icmplog, udplog. If nothing else, they will help you
trace attackers. Udplog is a pain in the... neck... if you're running
DNS, but IMHO it's still worth it.
Another sexy usility is Colorlog.pl, which highlights (seemingly)
important system messages.
>> 4. satan and saint - These scripts will attack the server with
>> all the known exploits.
Suresh> [snip]
-- Raju
-----------------------------------------------------------------------
For more information on the LIH mailing list see:
http://lists.linux-india.org/lists/LIH
