"Paul D. Robertson" wrote:
>
> On Sun, 12 Mar 2000, Paul Tan wrote:
>
> > just wondering, is it possible to stop port scans, log them, as well as
>configure IPchains to deny access from that particular IP address who is scanning for
>a period of time.
>
> 2. Logging port scans is possible, but IMNSHO fairly fruitless unless
> you're willing to dedicate a significant machine with a great deal of disk
> space to the task. In that case, a better course would be to buy an IDS
> box and gain more information and better accounting.
Depending on how much traffic you get on your link depends on how
much log space you need. I log all packet headers for all ports,
and hole packets on a few ports. Building a logging machine isn't
all that difficult. I use a Pentium 100 as my logger. It's able
to keep up with a 768kbit DSL link fine. It even compresses the logs.
On a really heavy day (link full all day) I will see at most 250
Mbytes of compressed logs generated. Typical days are usually less
than 15% of that. Logs are usually compressed any where from 60%
to 75%. Any relatively new PC combined with a set of huge IDE
disks should be able to do all the logging you need. If you
require redundancy, setup two PCs rather than using expensive
solutions like disk mirroring, etc. For $1200 you can setup a very
good logger machine with 60G Bytes log space. Use 2 IBM 34 GByte
IDE hard disks at $300 each, $400 low end PC (E-Machines), $100
monitor, and 2 $50 NICs. For backup I sugest encrypting the
compressed logs then ftping them to the backup/archival system.
All of this can be automated with cron and shell scripts.
There is an issue with logging like this. It is data privacy and
the possibility of password revealing. If someone gets access to
the log machine or data they now have access to all the passwords
sent across the network if you log packet contents. As I said I
log hole packets on some ports. When I setup hole packet logging
for ports that may have clear text passwords on them I encrypt the
logs. Faster CPUs really help with this. You also need to secure
the machine against outside access. You really need to make sure
the machine is very secure from both external and site internal
cracking. It's a gold mine of data.
For detecting the port scans I analyze the packets through a filter
program. It sorts and counts them by a number of different criteria,
plus does some other analysis. It finds most scans, even random ones
run over multi day periods.
If you wish to block sites scanning you, consider this. My machines
have never been attacked from a site that scanned them. All attacks
I've seen have always came from a site that has never been to my
site before. Their may be some clueless script kiddies that hack from
the same machine they scan from, but they are clearly the exception.
My responce to sites scanning me is to manually put them on a higher
level of logging. That is log full packet contents from them. If I
get many repeat scans from them I may manually put them into a deny
all block. A couple of netblocks in Korea are currently in this
catagory, and one in Ireland was. I only do this as a last resort.
--
| Bryan Andersen | [EMAIL PROTECTED] | http://softail.visi.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
