El Thu, 29 Aug 2013 07:41:41 -0500, Joaquin Moyares Rojas escribió: > saludos, necesito si alguno ha usado psad, ver la forma de que cuando se > reinicie el servicio no pierda la lista de ip bloqueadas en el archivo > auto_blocked_iptables
En su FAQ dicen: *** http://cipherdyne.org/psad/docs/faq.html#auto_block 3.2. Can psad automatically block IP addresses that have scanned my system? psad has the capability of automatically blocking IP addresses with both iptables and/or tcpwrappers. Furthermore, psad can be configured to only block an IP after it has reached a certain danger level which the admin defines. The two relevant configuration variables in the /etc/psad/ psad.conf file are "ENABLE_AUTO_IDS" and "AUTO_IDS_DANGER_LEVEL". Note that the auto blocking feature is disabled by default; please see the next question. 3.3. Is it a good idea to set ENABLE_AUTO_IDS="Y" to automatically block scans? In general no, and this feature is disabled by default. The reason for this is that a scan can be spoofed from any IP address (see the -S option to nmap). If psad is configured to automatically block scans then an attacker can spoof a scan, say, from www.yahoo.com and then you will be parsing your firewall ruleset to discover why you can't browse Yahoo's website, (or you can just execute "psad --Flush" to remove any auto- generated firewall rules). Also, an advanced scanning technique called the TCP Idle Scan requires that scan packets are spoofed by the attacker from a seemingly unrelated IP address from the viewpoint of the target. Nmap implements the Idle scan with its -sI option, and a good explanation of the technique can be found here. *** Saludos, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2013.08.29.14.39...@gmail.com