On Mon, Jan 22, 2001 at 01:48:00PM -0500, Burke, Thomas G. wrote:
> Of course, the "Black hole" effect lasts only until the machine is rebooted.
1) Not necessarily. Particularly if you save the chains before
shuting down (doesn't help if you pull the plug). Alternative is that
you can reload the chains from the portsentry history with a relatively
simple script. You want them to be non-volatile across reboot, you
can have it.
2) You also may expire the "black hole" effect. Black hole the
IP address for a day and turn it back on. I rarely see "returns".
Scans from dialup addresses are unlikely to be static. Attackers
are not likely to want to sit on a particular address to avoid being
traced, unless it's a compromised system. I don't see much sense
in blocking out an address for more than 48 hours. If I do see
returns from the same address across expirations, that's a system that
I might want to notify someone about... :-/
3) Rebooting is generally a once in a blue moon thing. Months
uptime on the firewall is normal (unless I'm updating the kernel or the
VPN code).
4) Who cares... If they come back, they get blackholed again.
One big disadvantage to this is that by ignoring the port scans
you are probably missing out on an opportunity to alert some sysadmin
of a compromised box. I feel bad about that, but I'm not sure I'm
any happier at the idea that I could be tipping my hand if I did try
to notify someone else.
> >From then on, the input packets are denied by hosts.deny rules...
> > -----Original Message-----
> > From: Bret Hughes [SMTP:[EMAIL PROTECTED]]
> > Sent: Monday, January 22, 2001 1:12 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Ramen worm & port activity
> >
> > Harry Putnam wrote:
> >
> > > "Michael H. Warfield" <[EMAIL PROTECTED]> writes:
> > >
> > > > My systems detect port scanning and simply shut down the
> > firewall
> > > > to the scanner. My entire /19 address space goes dark and the
> > automated
> > > > scanner leaves with the conclusion that there is nothing there. It
> > > > finds nothing to log and wanders on into the night. :-)
> > >
> > > Can you describe this `shut down' process. Especially if it is
> > > simple as you say, maybe describe in detail how to accomplish this.
> > I use portsentry to do this. With the Advanced Stealth mode or what ever
> > it
> > is called, if a scan occurs on a port assigned to an unused service
> > portsentry will add it to the hosts.deny and add an ipchains rule denying
> > all
> > packets from the sender.
I also use portsentry on my firewall in conjunction with the
redirect code in the kernel. Portsentry sits monitoring the ports. Early
chains allow through the specific ports and addresses that I allow for
external connections. Everything else gets forwarded locally to Portsentry.
Anyone attempting to connect to anything other than a specific address:port
combination that I have allowed gets locked out of the entire network.
Half-open Syn scanning looks like the entire /19 network is uniformly
and fully populated, and they get no information. When they attempt to
connect to anything, if they guessed wrong, they're all done. Detects
both wide scans (addresses for a specific port) and deep scans (ports on
a particular address) and slow scans. Doesn't detect distributed scans,
but you are dealing with an entirely different class of annoyance there.
So to determine what services I have, they have to know what services I have
in order to avoid the sentry. That, plus avoid the IDS that's waiting
BEHIND the firewall for anyone trying something tricker. Nastier things
await for those who get past that point... Things like my undivided
personal attention. ;-/
> > Bret
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
