On 04-May-01 Daniel Quappe wrote:
hey list,
does anybody know an opportunity to block port-scans with ipchains etc. like some commerical firewalls do?!
any solution is appreciated...;-)
You may either use portsentry (www.psionic.com/abacus/portsentry) which recognises portscans and can then drop the route from/to the attacker using ipchains (or via tpcd wrapper), or you may choose snort (www.snort.org) together with guardian (also available at www.snort.org) to monitor for intrusions and drop routes of possible offenders. Both portsentry and snort are quite easy to configure. Snort offers a more complete approach to intrusion detection because it covers a wide range of DoS/stack smashing/scanning/cgi abuse/icmp/trojan/etcetera attacks by using external rulesets which either can be downloaded from www.snort.org or written by yourself. Finally, if you have time and ressources to spend you may want to take a look at Network Flight Recorder (www.nfr.com), a fully-blown IDS with an inbuild intrusion detection programming language (N-code). However, this one has a non-free licensing scheme, at least for the full version, and is quite complex to manage and use. Links: FAQ: Network Intrusion Detection Systems http://www.robertgraham.com/pubs/network-intrusion-detection.html
bye,
daniel
---
Boris Lorenz