On Sat, 3 Aug 2002, S Mohan wrote: > Boy that was a loadful. No offences if I've caused any. Firstly, I trust > Linux, the author and myself too. >
Sorry -- I should have held that post over night before deciding to send it or not; it would have been the latter. > My experience is limited but I've got hacked and have detected > portscans. Normally a portscan would take some time depending on how > many ports are scanned. However, I'm identifying a portscan by finding > out who is opening an port on which I'm not running any service. > Secondly, the portscanner from the same IP scans machine in the subnet > going thro' this router/ firewall. Thus we will be able to block the IP > for the network saving other machines if they have a vulnerability on > services that are open. > Yes -- I agree. Although most attacks that I've seen lately have been very focused against a few ports (MS Sql Server, ftp, ssh, ), stopping someone who is taking the shotgun approach is probably a good thing. > Can the userspace area be made use of to create chains on the fly? Say > maybe running a shell script as a service that takes an IP as an > argument to create the chain? I do not know if userspace allows this. > Yes -- In fact, I think that there a people who are using snort together with Shorewall's blacklisting to do just that. Remember that user space doesn't have to create the rules itself -- it can simply invoke the "shorewall drop" or "shorewall reject" commands. As I pointed out in my previous post, there is a danger that the blacklist gets very large over time -- it is a good idea to purge old entries every so often so that the overhead of processing the blacklisst doesn't become excessive. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
