Firewall Wizards mailing list archives
Re: ipchains FW, monitoring for scans, & how to react to them
From: Danny Rathjens <dkr () hq mycity com>
Date: Tue, 21 Dec 1999 02:31:40 -0500
Crispin Cowan wrote:
I think the primary threat to web servers is the active content processing programs (the CGIs, the Perl scripts, the JSP's, the ASP's, etc.) all of which are accessed using HTTP requests, usually through port 80. Thus firewalls, whether on the web server or elsewhere, are essentially useless in protecting the web server. The firewall either blocks access to the web server, or grants it. No other magic happens.
Well, that is what I am trying to avoid. I want to make more magic happen, 8^) see below, please.
Danny Rathjens wrote:1. On a web server I thought it was a cool idea to have portsentry running and when it detected a connection to some port like 110, 1, or 31337, it would alert me and drop an ipchains rule in placeIf your web server is responding to ports other than 80, then it is badly configured. Fix it so that it only responds to port 80 (and whatever you use to publish) and you won't have to care about people portscanning it.
My conjecture was that disallowing any access to port 80 from an address that has in the near past attempted to connect to a port such as 1(indicitave of a port scan) would increase the security of my web server. I don't think this point is very debatable(although, as someone pointed out, the DOS possibiities could be significant if I implement it improperly) As to responding to ports other than 80, I don't believe either of my two implementation suggestions fall in that category since the ipchains DENY rule drops the packet(e.g. headed for port 1) on the ground and portsentry configured properly remains mute as well.
I'd look to techniques such as CGI Wrap or chroot() to protect your web server. My company also has some technologies to address these problems, which I won't hype here for fear of tooting my own horn too much.
Yeah, I definately need to do this as well. Thanks for the advice. -- "...you are already too old for fairy tales, and by the time it is printed and bound you will be older still. But some day you will be old enough to start reading fairy tales again." -- C. S. Lewis
Current thread:
- ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 20)
- Re: ipchains FW, monitoring for scans, & how to react to them R. DuFresne (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them R. DuFresne (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Crispin Cowan (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Crispin Cowan (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- war dialers, are they a current threat? R. DuFresne (Dec 22)
- Re: war dialers, are they a current threat? S. Jonah Pressman (Dec 24)
- RE: war dialers, are they a current threat? Joseph Judge (Dec 26)
- Re: war dialers, are they a current threat? Dorian Moore (Dec 28)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Message not available
- Re: war dialers, are they a current threat? Eric Budke (Dec 24)
- Re: ipchains FW, monitoring for scans, & how to react to them R. DuFresne (Dec 21)
- <Possible follow-ups>
- Re: ipchains FW, monitoring for scans, & how to react to them Thom Dyson (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them cbrenton (Dec 23)