Ariel Graneros <[EMAIL PROTECTED]> writes: > On Tue, 3 Dec 2002 21:19:28 EST [EMAIL PROTECTED] wrote: > >> Hi. Can you help me. Who do I report the above to. I have 2 firewalls >> running and tonight I was attacked from the same address 172 times in >> less than an hour. These people want banning off the net. It is >> certainly a violation of my privacy. A dozen times is an excuse but 172, >> I ask you. Please come back. > > A good solution is portsentry: > > http://www.psionic.com/products/portsentry.html
No, a good solution is whois(1). If the OP's complaint is valid (do we have logs / a description of what was going off? Has he taken a cold shower since posting?) then a complaint to abuse@ the ISP providing the incoming IP#s *may* be appropriate. Otherwise there are perfectly rational explanations for quite a lot of perceived "attack"s; maybe this avenue should be persued further. > PortSentry is part of the TriSentry suite of security tools. It is a > program designed to detect and respond to port scans against a target > host in real-time. Stealth detection modes are available under all Unix > platforms and detects SYN, FIN, NULL, XMAS, and Oddball packet scans. All > modes support real-time blocking and reporting of violations. I've just explained over on comp.os.linux.security why portsentry is a lousy idea, but to summarize: a) "dynamic" means nothing when the packets shouldn't have permeated to user-space at all; b) risk of auto-DoS if someone spoofs a given set of valuable IP#s; c) having to have no firewall, or extra holes in a firewall, in order to detect a finite set of events seems daft when you could just be blocking them already by default. IOW, write a proper firewall with DROP-by-default and only as few services open as you need, and if you want a different view on what attacks are going off, get something with a *much* larger rule-base like _snort_ instead. And when you get a real incident of either massive abuse or targetted attacks, *then* you whine to the people responsible. 172 packets dropped in a firewall does not a DoS - or even an attack - make. ~Tim -- <http://spodzone.org.uk/>