Von: Boris Lorenz [mailto:bolo@lupa.de] Gesendet: Montag, 19. Februar 2001 12:39 An: suse-security@suse.com Betreff: RE: [suse-security] Anti-Portscan tool
Hi all,
I think of installing a tool, which automatically blocks
On 18-Feb-01 Thomas Lamy wrote: port scanners at
the gateway for a specific time (perhaps one day).
There are numerous tools out to achieve that. Portsentry (www.psionic.com/abacus/portsentry) is just one of them. I've heard binary (very extreme) opinions about it; some like it, some "hate" it.
Basically it's a rather esoteric discussion wether to actively block incoming portscans, say via route-dropping, or to properly configure your firewall and some intrusion detection tools in order to let the admin know what's going on, without active blocking.
Currently I have a (basic) firewall script running, which blocks nasty ports and spoofing on the whole net, and does thorough port filtering on the servers. As this is at a small ISP, I can't do the "default policy deny" thing (at least not on the dialup subnet). I get real large logs from that script every night, and see the "usual" network scans, service probes (mail/squid abuse etc). For some time I used to write a mail to the respective network admins, but after all I found I should have spent my time on other things. :-(
For a more complete approach you may visit www.snort.org. Snort is an intrusion detection/monitoring software, which, together with tools like Guardian (also on www.snort.org), can be used to monitor, log and drop.
Well, I tried snort on (but not guardian) from SuSE 7.0 on a friend's machine, and it logged all kind of dns lookups, which were ok in my opinion. Had a look at their support section, but found no (real) solution. I think it's time to spend some time with it...
Another good place to look for tools of that kind would be the linux tools section of www.securityfocus.com, or start research about intrusion detection on www.securityportal.com.
I'll look there.
The problem with such configurations is that you may have some non-hostile routes get dropped because of an anal portsentry-/snort-setup. On the other hand, dropping routes from most
script kiddies or
win-trojan-scanners may have some "psychological effects", but after dropping the (dynamically assigned) IP address of such a kiddie he or she may hang up and dialin again, thus getting an other IP address from his/her peer, and the scanning begins anew. This fills up your logfiles and may indeed lead to a denial-of-service in the worst case, but doesn't do any good. This is the reason I want to block for only a certain amount of time (calculated from my old log files). Sure this wouldn't keep me from being DoS'ed, but it keeps the kiddies out.
Finally, if you drop routes from experienced black hats he or she may feel invited to have a second look into your network and to dig deeper into the bag of tricks, especially if you use portsentry's doubtful "feature" where a (probably offending) banner can be spit out after a denied connection attempt. Good point.
If you plan to set up intrusion/portscan detection systems you should not use any pro-active retaliation (route droppings, etc.) for a while, say a couple of months or so. During this period, carefully watch the output of these tools and finally make a decision wether to switch to active dropping based on these data. Yep, as I already stated, I have as much as 2 year's logfiles of portscans etc. And as usual, every new "feature" is looked at with special care.
TIA, Thomas
--- Boris Lorenz
System Security Admin *nix - *nux
-- 6 x 9 = 42