Security Basics mailing list archives

Re: Dealing with Scans (portscans, vulnerability, etc.)

From: Jon Kibler <Jon.Kibler () aset com>
Date: Tue, 24 Nov 2009 11:36:09 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Raboza wrote:

I want my IDS console not to be too cluttered that's why I'm tuning
it.  If its too cluttered - I might be missing out the really
important alerts.

What about you?  How do you deal with port/vulnerability scans?  Is it
illegal btw?

First, your border firewall rules should block all inbound traffic that:
1) Is not targeted to a known service on a known IP address on your network.
2) Is not in response to traffic initiated from your network.
These two steps should cut down on a lot of the IDS noise.

Next, for services that you have exposed, run fail2ban (or similar) tool that
blocks morons trying to attack those services.

Then, report your firewall logs to DShield.

Do NOT ignore scans. They are the first sign that someone is probing you for a
potential attack.

Bottom line: If your IDS is seeing port/vuln scans from outside your network,
then either your IDS sensor is improperly positioned in your network
architecture, or you have really lame firewall rules on your border firewall.

Finally, regarding the "legality" of doing port scans, the answer is "it
depends." If you want an ear-full on this topic, talk to Scott Moulton -- he was
criminally prosecuted for port scanning a system on which he was authorized to
perform a vulnerability assessment.

Hope this helps!

Jon K
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
s: JonRKibler
e: Jon.Kibler () aset com
e: Jon.R.Kibler () gmail com
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksMC3gACgkQUVxQRc85QlOzxACfarth07exsNmJxk00dJqAYuSb
cKYAn1K1q0DKroI72/6UQjAq1D6ik/H0
=xfEm
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Dealing with Scans (portscans, vulnerability, etc.) Tony Raboza (Nov 24)
- Re: Dealing with Scans (portscans, vulnerability, etc.) Jon Kibler (Nov 24)
- Re: Dealing with Scans (portscans, vulnerability, etc.) Aarón Mizrachi (Nov 25)
  - RE: Dealing with Scans (portscans, vulnerability, etc.) Holger Reichert (Nov 26)
  - Message not available
    - Re: Dealing with Scans (portscans, vulnerability, etc.) aditya mukadam (Nov 27)