hey list, does anybody know an opportunity to block port-scans with ipchains etc. like some commerical firewalls do?! any solution is appreciated...;-) bye, daniel -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
On 04-May-01 Daniel Quappe wrote:
hey list,
does anybody know an opportunity to block port-scans with ipchains etc. like some commerical firewalls do?!
any solution is appreciated...;-)
You may either use portsentry (www.psionic.com/abacus/portsentry) which recognises portscans and can then drop the route from/to the attacker using ipchains (or via tpcd wrapper), or you may choose snort (www.snort.org) together with guardian (also available at www.snort.org) to monitor for intrusions and drop routes of possible offenders. Both portsentry and snort are quite easy to configure. Snort offers a more complete approach to intrusion detection because it covers a wide range of DoS/stack smashing/scanning/cgi abuse/icmp/trojan/etcetera attacks by using external rulesets which either can be downloaded from www.snort.org or written by yourself. Finally, if you have time and ressources to spend you may want to take a look at Network Flight Recorder (www.nfr.com), a fully-blown IDS with an inbuild intrusion detection programming language (N-code). However, this one has a non-free licensing scheme, at least for the full version, and is quite complex to manage and use. Links: FAQ: Network Intrusion Detection Systems http://www.robertgraham.com/pubs/network-intrusion-detection.html
bye,
daniel
--- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux ---
I don't think automatic dropping of the routes is a good idea. What if an attacker spoofs the source address using ip addresses of a router you are attached to, your name server's ip address or the ip-addresses of the root name servers ? This would be a nice and pretty easy DoS. Bjoern Engels Trainer & Consultant LANWORKS AG --------------------------------------------- E-Mail: Bjoern Engels <bengels@lanworks.de> ---------------------------------------------
On 04-May-01 Bjoern Engels wrote:
I don't think automatic dropping of the routes is a good idea. What if an attacker spoofs the source address using ip addresses of a router you are attached to, your name server's ip address or the ip-addresses of the root name servers ? This would be a nice and pretty easy DoS.
This only happens if you use tools like portsentry with its defaults and do not exclude certain ip addresses from being dropped (namely routers, switching routers, your own static ip, etc.). If you�d get caught by such a "DoS" using portsentry you�d basically suffer from a RTFM problem ... ;-) Furthermore, portsentry/guardian can be set to notify-only so that routes don�t get dropped for real but get written into a log file for later inspection. This can be monitored for a while to learn more about the tool�s behaviour. Additional measures concerning IP spoofing can be introduced by tightly configuring a packet screening/stateful firewall based on ipchains/netfilter, making sure that spoofing attempts with local IPs, source routed packages and other martians are blocked.
Bjoern Engels Trainer & Consultant LANWORKS AG
--- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux ---
PSionic POrtSentry http://www.psionic.com It's a GOOD thing, IMO! I have an article here somewhere that was EXCELLENT in walking me through a fast set up of it. Geordon ----- Original Message ----- From: "Daniel Quappe" <mailinglists@gmx.li> To: <suse-security@suse.de> Sent: Friday, May 04, 2001 7:46 AM Subject: [suse-security] port-scan-blocker
hey list,
does anybody know an opportunity to block port-scans with ipchains etc. like some commerical firewalls do?!
any solution is appreciated...;-) bye,
daniel
-- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (4)
-
Bjoern Engels -
Boris Lorenz -
Daniel Quappe -
Geordon VanTassle