Firewall Wizards mailing list archives
ipchains FW, monitoring for scans, & how to react to them
From: Danny Rathjens <dkr () hq mycity com>
Date: Mon, 20 Dec 1999 19:46:07 -0500
My question is how do you all feel about essentially doing
the firewalling on the webserver itself with ipchains instead
of a separate box that everything is filtered through.
I'd also like any comments on my two ways of setting ipchains
rules/portsentry and how to respond to probes of my boxen:
1. On a web server I thought it was a cool idea to have portsentry
running and when it detected a connection to some port like 110,
1, or 31337, it would alert me and drop an ipchains rule in place
that would prevent all further connections to any local port
from the 'attacking' ip. Then I could have a cron'd script go
through and flush these rules every once in a while. This way
I would prevent any immediately following exploit/scan attempts
from the same host, and still not have to worry about random
dial-up and/or spoofed ip's belonging to my customers not working
at some future time.
So I am trying to foil attempts from a single IP once I know
they are likely up to no good, but I let the shields down after
a little while to avoid any problems with delivering my web
content to the world.
2. An alternative is to have a very restrictive set of ipchains
rules in place and instead of using portsentry have a set of
ipchains DENY rules for the same port list portsentry listens on
and simply log the offending packets.
Notification won't be immediate like portsentry as I don't think
you can get ipchains to exec arbitrary code, but getting notified
when the logs get parsed is better than nothing.
With this alternative method we just have a little bit less security
since we can't use ipchains to refuse any further connections to any
port from that ip when we see them connecting to ports they shouldn't
be. I wonder if it is possible to modify the rules with the rules
themselves.
Thanks for any insight you all would be willing to give me on these
issues.
--
struct Programmer/Analyst 'Danny Rathjens' {this.place = "MyCity.com";}
Truth decays into beauty, while beauty soon becomes merely charm.
Charm ends up as strangeness, and even that doesn't last, but up and
down are forever.
Current thread:
- ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 20)
- Re: ipchains FW, monitoring for scans, & how to react to them R. DuFresne (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them R. DuFresne (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Crispin Cowan (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Crispin Cowan (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- war dialers, are they a current threat? R. DuFresne (Dec 22)
- Re: war dialers, are they a current threat? S. Jonah Pressman (Dec 24)
- RE: war dialers, are they a current threat? Joseph Judge (Dec 26)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them R. DuFresne (Dec 21)