Firewall Wizards mailing list archives
Re: ipchains FW, monitoring for scans, & how to react to them
From: Danny Rathjens <dkr () hq mycity com>
Date: Tue, 21 Dec 1999 02:36:14 -0500
"R. DuFresne" wrote:
On Mon, 20 Dec 1999, Danny Rathjens wrote:I'd also like any comments on my two ways of setting ipchains rules/portsentry and how to respond to probes of my boxen: 1. On a web server I thought it was a cool idea to have portsentry running and when it detected a connection to some port like 110, 1, or 31337, it would alert me and drop an ipchains rule in place that would prevent all further connections to any local port from the 'attacking' ip. Then I could have a cron'd script go through and flush these rules every once in a while. This way I would prevent any immediately following exploit/scan attempts from the same host, and still not have to worry about random dial-up and/or spoofed ip's belonging to my customers not working at some future time. So I am trying to foil attempts from a single IP once I know they are likely up to no good, but I let the shields down after a little while to avoid any problems with delivering my web content to the world.Bad idea for #1
Thanks for the input. Could you give me a little more insight as to why you say this is bad? Do you think the concept of reacting to the scans is bad or the implementation? -- "...you are already too old for fairy tales, and by the time it is printed and bound you will be older still. But some day you will be old enough to start reading fairy tales again." -- C. S. Lewis
Current thread:
- ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 20)
- Re: ipchains FW, monitoring for scans, & how to react to them R. DuFresne (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them R. DuFresne (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Crispin Cowan (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Crispin Cowan (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- war dialers, are they a current threat? R. DuFresne (Dec 22)
- Re: war dialers, are they a current threat? S. Jonah Pressman (Dec 24)
- RE: war dialers, are they a current threat? Joseph Judge (Dec 26)
- Re: war dialers, are they a current threat? Dorian Moore (Dec 28)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Message not available
- Re: war dialers, are they a current threat? Eric Budke (Dec 24)
- Re: ipchains FW, monitoring for scans, & how to react to them R. DuFresne (Dec 21)