Re: IP Banning (Using IPFW)

2006-02-09 Thread Daniel A.
On 2/9/06, Chris [EMAIL PROTECTED] wrote: On 07/02/06, David Scheidt [EMAIL PROTECTED] wrote: On Tue, Feb 07, 2006 at 12:40:22AM +0200, Atis wrote: On Sun, 5 Feb 2006 18:55:13 -0500 David Scheidt [EMAIL PROTECTED] wrote: Nonsense. There may be some people that only scan

Re: IP Banning (Using IPFW)

2006-02-08 Thread Chris
On 07/02/06, David Scheidt [EMAIL PROTECTED] wrote: On Tue, Feb 07, 2006 at 12:40:22AM +0200, Atis wrote: On Sun, 5 Feb 2006 18:55:13 -0500 David Scheidt [EMAIL PROTECTED] wrote: Nonsense. There may be some people that only scan well-known ports, but it's much more common to scan

Re: IP Banning (Using IPFW)

2006-02-06 Thread Atis
On Sun, 5 Feb 2006 18:55:13 -0500 David Scheidt [EMAIL PROTECTED] wrote: Nonsense. There may be some people that only scan well-known ports, but it's much more common to scan every port on a machine. If you're running a server on a non-standard port, an attacker will find it. sure, but

Re: IP Banning (Using IPFW)

2006-02-06 Thread David Scheidt
On Tue, Feb 07, 2006 at 12:40:22AM +0200, Atis wrote: On Sun, 5 Feb 2006 18:55:13 -0500 David Scheidt [EMAIL PROTECTED] wrote: Nonsense. There may be some people that only scan well-known ports, but it's much more common to scan every port on a machine. If you're running a server on

Re: IP Banning (Using IPFW)

2006-02-05 Thread Philip Hallstrom
I was wondering if there's some sort of port available that can actively ban IPs that try and bruteforce a service such as SSH or Telnet, by scanning the /var/log/auth.log log for Regex such as Illegal User or LOGIN FAILURES, and then using IPFW to essentially deny (ban) that IP for a certain

RE: IP Banning (Using IPFW)

2006-02-05 Thread fbsd_user
I find this kind of approach is treating the symptom and not the cause. The basic problem is the services have well published port numbers and attackers beat on those known port numbers. A much simpler approach is to change the standard port numbers to some high order port number. See

Re: IP Banning (Using IPFW)

2006-02-05 Thread Daniel A.
On 2/5/06, fbsd_user [EMAIL PROTECTED] wrote: I find this kind of approach is treating the symptom and not the cause. The basic problem is the services have well published port numbers and attackers beat on those known port numbers. A much simpler approach is to change the standard port

RE: IP Banning (Using IPFW)

2006-02-05 Thread fbsd_user
be meaningless. Please check your facts before commenting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. Sent: Sunday, February 05, 2006 4:58 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Michael A. Alestock Subject: Re: IP Banning (Using IPFW

Re: IP Banning (Using IPFW)

2006-02-05 Thread Daniel A.
: IP Banning (Using IPFW) On 2/5/06, fbsd_user [EMAIL PROTECTED] wrote: I find this kind of approach is treating the symptom and not the cause. The basic problem is the services have well published port numbers and attackers beat on those known port numbers. A much simpler approach

Re: IP Banning (Using IPFW)

2006-02-05 Thread David Scheidt
On Sun, Feb 05, 2006 at 05:38:11PM -0500, fbsd_user wrote: You missed to whole meaning. Attackers only scan for the published service port numbers, that is what is meant by portscan the box. Those high order port numbers are dynamically used during normal session conversation. So any