Re: ipchains FW, monitoring for scans, & how to react to them

["Thom Dyson" <TDyson () sybex com>]

A conversation about this sort of auto-blocking came up at the SANS
conference last week.  It was pointed out that if you have this, it could
be the basis of a very effective DoS attack with just a little IP spoofing.
Given the trend toward low and slow scans, your "DENY flush" interval would
have to be fairly long.  You have to weigh the risks in your environment.

A couple of the speakers on intrusion detection basically said, "We get so
many probes on things like IMAP and BO, that as long as they are outside
the firewall, they just aren't that interesting."  It is probes inside the
firewall(s) that are interesting.  They weren't too worried about probes
for services that they know aren't running on a particular machine.  It was
the unknown probes (a la new trojans) that seemed to be the biggest
concern.

WRT firewalling on the web server without a second separate fw, I'm  a huge
fan of one task per machine.  Ipchains on the web server is a good idea,
but not as a replacement for a separate perimeter defense.

Thom Dyson
Director of Information Services
Sybex, Inc


|--------+----------------------->
|        |          Danny        |
|        |          Rathjens     |
|        |          <dkr@hq.mycit|
|        |          y.com>       |
|        |                       |
|        |          12/20/1999   |
|        |          04:46 PM     |
|        |          Please       |
|        |          respond to   |
|        |          Danny        |
|        |          Rathjens     |
|        |                       |
|--------+----------------------->
  >-----------------------------------------------------------------------|
  |                                                                       |
  |       To:     Firewalls <firewall-wizards () nfr net>                    |
  |       cc:     (bcc: Thom Dyson/Sybex)                                 |
  |       Subject:     ipchains FW, monitoring for scans, & how to react  |
  |       to them                                                         |
  >-----------------------------------------------------------------------|






My question is how do you all feel about essentially doing
the firewalling on the webserver itself with ipchains instead
of a separate box that everything is filtered through.
I'd also like any comments on my two ways of setting ipchains
rules/portsentry and how to respond to probes of my boxen:
1. On a web server I thought it was a cool idea to have portsentry
running and when it detected a connection to some port like 110,
1, or 31337, it would alert me and drop an ipchains rule in place
that would prevent all further connections to any local port
from the 'attacking' ip.  Then I could have a cron'd script go
through and flush these rules every once in a while.  This way
I would prevent any immediately following exploit/scan attempts
from the same host, and still not have to worry about random
dial-up and/or spoofed ip's belonging to my customers not working
at some future time.
So I am trying to foil attempts from a single IP once I know
they are likely up to no good, but I let the shields down after
a little while to avoid any problems with delivering my web
content to the world.
[snip]