On 18-Feb-01 Thomas Lamy wrote:
Hi all,
I think of installing a tool, which automatically blocks port scanners at the gateway for a specific time (perhaps one day).
There are numerous tools out to achieve that. Portsentry (www.psionic.com/abacus/portsentry) is just one of them. Basically it's a rather esoteric discussion wether to actively block incoming portscans, say via route-dropping, or to properly configure your firewall and some intrusion detection tools in order to let the admin know what's going on, without active blocking. For a more complete approach you may visit www.snort.org. Snort is an intrusion detection/monitoring software, which, together with tools like Guardian (also on www.snort.org), can be used to monitor, log and drop. Another good place to look for tools of that kind would be the linux tools section of www.securityfocus.com, or start research about intrusion detection on www.securityportal.com.
Does such a beast exist (at best as SuSE-rpm) ? And would it be really wise to do that? Any pitfalls?
Snort is part of the SuSE distro (series "sec"). The problem with such configurations is that you may have some non-hostile routes get dropped because of an anal portsentry-/snort-setup. On the other hand, dropping routes from most script kiddies or win-trojan-scanners may have some "psychological effects", but after dropping the (dynamically assigned) IP address of such a kiddie he or she may hang up and dialin again, thus getting an other IP address from his/her peer, and the scanning begins anew. This fills up your logfiles and may indeed lead to a denial-of-service in the worst case, but doesn't do any good. Finally, if you drop routes from experienced black hats he or she may feel invited to have a second look into your network and to dig deeper into the bag of tricks, especially if you use portsentry's doubtful "feature" where a (probably offending) banner can be spit out after a denied connection attempt. If you plan to set up intrusion/portscan detection systems you should not use any pro-active retaliation (route droppings, etc.) for a while, say a couple of months or so. During this period, carefully watch the output of these tools and finally make a decision wether to switch to active dropping based on these data.
TIA, Thomas
---
Boris Lorenz