Mr Cox,
>Take a lan. All the machines on it depend on an external DNS server typically.
>If so you fake portscans from their primary/secondary DNS server to each
>client
>The clients all firewall the DNS servers.
Ah, I see.
You could put override rules for trusted hosts (like DNS) and make sure
sentry adds rules to the bottom of the input chain. (It's not perfect,
since someone could launch an attack from your DNS servers...)
In general if you're running PortSentry and something stops working you
just reset the firewall. Leaving the drop route entries in is generally
useless since the attackers move around.
> > PPS. What's better: losing your access, or having a kiddy break into you
> > computer and use it as a launch pad for hack attempts that cause your ISP
> > to yank your access or worse...
>
>The kiddiez are using good stealth scanners nowdays - the ones with up
>to date tools. They do port/host not host/port ordered scans. That is you'll
>see
>
> x.x.x.1 80 x.x.x.2 80 -> etc
>
>then maybe an hour later
>
> x.x.x.1 81
>
>Some of them also randomise the host order too. It is getting really hard
>to spot scans because of this kind of stuff.
True, but again it's like "The Club". Thieves that know how to get past it
can steal your car, those that don't move onto the next guy. You're still
lowering the overall chance of theft. Also, your increasing the time it
takes to get into your server vs an unprotected server which might cause
thieves to skip over you.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
