Mailinglist Archive: opensuse-security (636 mails)
|< Previous||Next >|
RE: [suse-security] Anti-Portscan tool
- From: Boris Lorenz <bolo@xxxxxxx>
- Date: Mon, 19 Feb 2001 12:39:01 +0100 (MET)
- Message-id: <XFMail.010219123901.bolo@xxxxxxx>
On 18-Feb-01 Thomas Lamy wrote:
> Hi all,
> I think of installing a tool, which automatically blocks port scanners at
> the gateway for a specific time (perhaps one day).
There are numerous tools out to achieve that. Portsentry
(www.psionic.com/abacus/portsentry) is just one of them. Basically it's a
rather esoteric discussion wether to actively block incoming portscans, say via
route-dropping, or to properly configure your firewall and some intrusion
detection tools in order to let the admin know what's going on, without active
For a more complete approach you may visit www.snort.org. Snort is an intrusion
detection/monitoring software, which, together with tools like Guardian (also
on www.snort.org), can be used to monitor, log and drop.
Another good place to look for tools of that kind would be the linux tools
section of www.securityfocus.com, or start research about intrusion detection on
> Does such a beast exist (at best as SuSE-rpm) ? And would it be really wise
> to do that? Any pitfalls?
Snort is part of the SuSE distro (series "sec").
The problem with such configurations is that you may have some non-hostile
routes get dropped because of an anal portsentry-/snort-setup. On the other
hand, dropping routes from most script kiddies or win-trojan-scanners may have
some "psychological effects", but after dropping the (dynamically assigned) IP
address of such a kiddie he or she may hang up and dialin again, thus getting
an other IP address from his/her peer, and the scanning begins anew. This fills
up your logfiles and may indeed lead to a denial-of-service in the worst case,
but doesn't do any good.
Finally, if you drop routes from experienced black hats he or she may feel
invited to have a second look into your network and to dig deeper into the bag
of tricks, especially if you use portsentry's doubtful "feature" where a
(probably offending) banner can be spit out after a denied connection attempt.
If you plan to set up intrusion/portscan detection systems you should not use
any pro-active retaliation (route droppings, etc.) for a while, say a couple of
months or so. During this period, carefully watch the output of these tools and
finally make a decision wether to switch to active dropping based on these data.
Boris Lorenz <bolo@xxxxxxx>
System Security Admin *nix - *nux
|< Previous||Next >|