AW: [suse-security] Anti-Portscan tool

19 Feb 2001


      ...
Von: Boris Lorenz [mailto:bolo@lupa.de]
Gesendet: Montag, 19. Februar 2001 12:39
An: suse-security@suse.com
Betreff: RE: [suse-security] Anti-Portscan tool
...
Hi all,
I think of installing a tool, which automatically blocks
On 18-Feb-01 Thomas Lamy wrote:
port scanners at
...
the gateway for a specific time (perhaps one day).
There are numerous tools out to achieve that. Portsentry
(www.psionic.com/abacus/portsentry) is just one of them. 
I've heard binary (very extreme) opinions about it; some like it, some
"hate" it.
...
Basically it's a
rather esoteric discussion wether to actively block incoming 
portscans, say via
route-dropping, or to properly configure your firewall and 
some intrusion
detection tools in order to let the admin know what's going 
on, without active
blocking.
Currently I have a (basic) firewall script running, which blocks nasty ports
and spoofing on the whole net, and does thorough port filtering on the
servers. As this is at a small ISP, I can't do the "default policy deny"
thing (at least not on the dialup subnet).
I get real large logs from that script every night, and see the "usual"
network scans, service probes (mail/squid abuse etc). For some time I used
to write a mail to the respective network admins, but after all I found I
should have spent my time on other things. :-(
...
For a more complete approach you may visit www.snort.org. 
Snort is an intrusion
detection/monitoring software, which, together with tools 
like Guardian (also
on www.snort.org), can be used to monitor, log and drop.
Well, I tried snort on (but not guardian) from SuSE 7.0 on a friend's
machine, and it logged all kind of dns lookups, which were ok in my opinion.
Had a look at their support section, but found no (real) solution.
I think it's time to spend some time with it...
...
Another good place to look for tools of that kind would be 
the linux tools
section of www.securityfocus.com, or start research about 
intrusion detection on
www.securityportal.com.
I'll look there.
...
The problem with such configurations is that you may have 
some non-hostile routes get dropped because of an anal 
portsentry-/snort-setup. On the other hand, dropping routes from most
script kiddies or
...
win-trojan-scanners may have some "psychological effects", but after
dropping the 
(dynamically assigned) IP address of such a kiddie he or she may hang up
and dialin 
again, thus getting an other IP address from his/her peer, and the
scanning 
begins anew. This fills up your logfiles and may indeed lead to a
denial-of-service 
in the worst case, but doesn't do any good.
This is the reason I want to block for only a certain amount of time
(calculated from my old log files). Sure this wouldn't keep me from being
DoS'ed, but it keeps the kiddies out.
Finally, if you drop routes from experienced black hats he or 
she may feel
invited to have a second look into your network and to dig 
deeper into the bag
of tricks, especially if you use portsentry's doubtful 
"feature" where a
(probably offending) banner can be spit out after a denied 
connection attempt.
Good point.
...
If you plan to set up intrusion/portscan detection systems 
you should not use
any pro-active retaliation (route droppings, etc.) for a 
while, say a couple of
months or so. During this period, carefully watch the output 
of these tools and
finally make a decision wether to switch to active dropping 
based on these data.
Yep, as I already stated, I have as much as 2 year's logfiles of portscans
etc. And as usual, every new "feature" is looked at with special care.
...
...
TIA,
  Thomas
---
Boris Lorenz 
System Security Admin *nix - *nux
-- 
6 x 9 = 42