Re: ipchains FW, monitoring for scans, & how to react to them

["R. DuFresne" <dufresne () sysinfo com>]

On Tue, 21 Dec 1999, Danny Rathjens wrote:

> "R. DuFresne" wrote:
> > On Mon, 20 Dec 1999, Danny Rathjens wrote:
> > > I'd also like any comments on my two ways of setting ipchains
> > > rules/portsentry and how to respond to probes of my boxen:
> > >
> > > 1. On a web server I thought it was a cool idea to have portsentry
> > > running and when it detected a connection to some port like 110,
> > > 1, or 31337, it would alert me and drop an ipchains rule in place
> > > that would prevent all further connections to any local port
> > > from the 'attacking' ip.  Then I could have a cron'd script go
> > > through and flush these rules every once in a while.  This way
> > > I would prevent any immediately following exploit/scan attempts
> > > from the same host, and still not have to worry about random
> > > dial-up and/or spoofed ip's belonging to my customers not working
> > > at some future time.
> > > So I am trying to foil attempts from a single IP once I know
> > > they are likely up to no good, but I let the shields down after
> > > a little while to avoid any problems with delivering my web
> > > content to the world.
> >
> > Bad idea for #1
> Thanks for the input.
> Could you give me a little more insight as to why you say 
> this is bad?  Do you think the concept of reacting to the scans
> is bad or the implementation?

 the implementation, for if yer allowing more then port 80 through yer
rules are not strict enough.

Thanks,


Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!