Re: ipchains FW, monitoring for scans, & how to react to them

["R. DuFresne" <dufresne () sysinfo com>]

On Mon, 20 Dec 1999, Danny Rathjens wrote:

> My question is how do you all feel about essentially doing
> the firewalling on the webserver itself with ipchains instead
> of a separate box that everything is filtered through.

If you do not have the equipment available, this is better then nothing.
I'd just as soon see the packet filter in front, as well as on the server,
the one on the server blocking all but 80 to the internet and allowing
what few services <ssh> from the inside network to manage the box.

> I'd also like any comments on my two ways of setting ipchains
> rules/portsentry and how to respond to probes of my boxen:
>
> 1. On a web server I thought it was a cool idea to have portsentry
> running and when it detected a connection to some port like 110,
> 1, or 31337, it would alert me and drop an ipchains rule in place
> that would prevent all further connections to any local port
> from the 'attacking' ip.  Then I could have a cron'd script go
> through and flush these rules every once in a while.  This way
> I would prevent any immediately following exploit/scan attempts
> from the same host, and still not have to worry about random
> dial-up and/or spoofed ip's belonging to my customers not working
> at some future time.
> So I am trying to foil attempts from a single IP once I know
> they are likely up to no good, but I let the shields down after
> a little while to avoid any problems with delivering my web
> content to the world.

Bad idea for #1

> 2. An alternative is to have a very restrictive set of ipchains
> rules in place and instead of using portsentry have a set of
> ipchains DENY rules for the same port list portsentry listens on
> and simply log the offending packets.  

I'd restrict as said above all but the service the box is running, logging
is okay, but, could be a denial of service risk if an attacker fills your
drive<s>.  

> Notification won't be immediate like portsentry as I don't think
> you can get ipchains to exec arbitrary code, but getting notified
> when the logs get parsed is better than nothing.

Actually, there are some nice tools out there that could parse them that
logs on the fly.  No need to rely on something to happen after the fact
nor to rebuild the wheel.

> With this alternative method we just have a little bit less security
> since we can't use ipchains to refuse any further connections to any
> port from that ip when we see them connecting to ports they shouldn't
> be.  I wonder if it is possible to modify the rules with the rules
> themselves.
>
> Thanks for any insight you all would be willing to give me on these
> issues.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!