Re: Port Sentry
hi roderick if the clients need access to your lan... - put them on a different wire ( 10.0.1.0/24 ) and you keep all your corp data that has nothing to do with them on other wires ( 192.156.1.0/24 ) than put a gateway for you coworker to get to them but the clients in their office cannot get into your private 192.168.1.0 network.. ( they dont need the root passwd to that gateway -- ie... move your internal firewall -- one lan inward... -- having their machines on the same wire as your credit and finance and MS windoze boxes is asking for problems... might as well leave thos PC in their offfices... ( same effect ) -- am guessing... there is data they need... and data they dont need from your own servers have fun alvin On Sun, 3 Jun 2001, Roderick Cummings wrote: > > > > >From: "Rajkumar S." <[EMAIL PROTECTED]> > >To: Roderick Cummings <[EMAIL PROTECTED]> > >CC: debian > >Subject: Re: Port Sentry > >Date: Sat, 2 Jun 2001 20:51:46 +0530 (IST) > > > >On Sat, 2 Jun 2001, Roderick Cummings wrote: > > > > > Now when portsentry detects a port scan it blocks the ip making the > > > scan. > > > >I am not an expert in security, but some doubts. > > > >Is it wise to block an ip just because it did a port scan? > >What if s/he spoofs the ip and puts your ip as source address? > > > >raj > > > > A rule in my input chain will drop any incomming packet claiming to be from > the localhost. (the routers to other networks will drop any incomming > packets claiming to be from my network as well). > > Blocking the ip's might be a problem if say, someone takes control of one of > the servers at my customers site, but then the application would die and be > noticed. Although that would be a serious DOS attack, I'd much rather know > there is a problem and discover the system in the customer's network was > hacked, than continue to talk to it and process data from it. Unfortuneatly > the customers do have legitimate reasons to access the systems in my network > (several of which they actually own). > _ > Get your FREE download of MSN Explorer at http://explorer.msn.com > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: Port Sentry
From: "Noah L. Meyerhans" <[EMAIL PROTECTED]> To: Debian User List Subject: Re: Port Sentry Date: Sat, 2 Jun 2001 12:50:39 -0400 On Sat, Jun 02, 2001 at 08:51:46PM +0530, Rajkumar S. wrote: > > Now when portsentry detects a port scan it blocks the ip making the > > scan. > > Is it wise to block an ip just because it did a port scan? > What if s/he spoofs the ip and puts your ip as source address? This is the real problem, and is a very good reason not to block IP addresses based on a portscan. Very few large scale sites do anything of the sort. It is trivial to spoof the source address of a portscan, allowing one to cause your machine to block access from your nameservers or your clients or other important sites. I recommend using ippl or the ipchains/iptables based logging facilities in place of portsentry. They don't necessitate having a service actually listening on unused ports. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html << attach3 >> These networks are not accessible from the internet, nor are the customer networks. So The only spoofing would be from either co-workers here, or employee's of customers. The decision then is, is the risk of a spoofed source DOS worth continuing to accept data from a potentially compromised host, particularly when the person doing the scan is someone who knows a lot about the systems he's attacking and the data they process. Such a person could easily fake customer billing, credits, and cause lots of problems far worse than an hour or so of downtime. But you are right about the namservers not blocking. The whole point of many nameservers is public access, so they are easily found, and often messed with, so they should be monitored closely, be tight, but also be tolerant of newbies trying weird things to them. However, in this situation the nameservers are less important anyway, most of the applications have the IP's in their hosts files. Nearly all of the systems are application processors, not user stations, so they are constantly passing application messages, datafiles, etc with a fixed set of machines. _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: Port Sentry
From: "Rajkumar S." <[EMAIL PROTECTED]> To: Roderick Cummings <[EMAIL PROTECTED]> CC: debian Subject: Re: Port Sentry Date: Sat, 2 Jun 2001 20:51:46 +0530 (IST) On Sat, 2 Jun 2001, Roderick Cummings wrote: > Now when portsentry detects a port scan it blocks the ip making the > scan. I am not an expert in security, but some doubts. Is it wise to block an ip just because it did a port scan? What if s/he spoofs the ip and puts your ip as source address? raj A rule in my input chain will drop any incomming packet claiming to be from the localhost. (the routers to other networks will drop any incomming packets claiming to be from my network as well). Blocking the ip's might be a problem if say, someone takes control of one of the servers at my customers site, but then the application would die and be noticed. Although that would be a serious DOS attack, I'd much rather know there is a problem and discover the system in the customer's network was hacked, than continue to talk to it and process data from it. Unfortuneatly the customers do have legitimate reasons to access the systems in my network (several of which they actually own). _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: Port Sentry - users
hi john i think its more the issue of what "users" do after they see the portscan log messsages... changing fw rules due to portscan loggs is like shooting yourself in the foot if one does not know why you're updating the fw rules ( "i heard someone say update the fw to stop port scans" is not good ( enough of a reason c ya alvin http://www.Linux-Sec.net On 2 Jun 2001, John Hasler wrote: > > It is trivial to spoof the source address of a portscan, allowing one to > > cause your machine to block access from your nameservers or your clients > > or other important sites. > > While certainly no panacea, portsentry isn't that stupid. The authors > thought about this and provided for it. > --
Re: Port Sentry - good idea
hi ya raj > Is it wise to block an ip just because it did a port scan? > What if s/he spoofs the ip and puts your ip as source address? thats exactly what the next level of "script kiddies" does to get you to block all incoming legit connections - in this case..block connections from your own clients ?? - port scanning is so common it better/cheaper to have dedicated hosts for each "port" - too much headache to read false port scan reports that tom, dick and harry scanned ya... - fw should only allow only certain ports to pass thru to certain serves only... otherwise log it... and check the fw later... - if they have your fw root passwd too.. ***oooppsss*** - dedicated dns server, web server, smtp, pop3 servers are cheaper to maintain that to setup all machines to check all ports c ya alvin On Sat, 2 Jun 2001, Rajkumar S. wrote: > On Sat, 2 Jun 2001, Roderick Cummings wrote: > > > Now when portsentry detects a port scan it blocks the ip making the > > scan. > > I am not an expert in security, but some doubts. > > Is it wise to block an ip just because it did a port scan? > What if s/he spoofs the ip and puts your ip as source address? > > raj > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: Port Sentry
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2 Jun 2001, John Hasler wrote: > > > It is trivial to spoof the source address of a portscan, allowing one to > > cause your machine to block access from your nameservers or your clients > > or other important sites. > > While certainly no panacea, portsentry isn't that stupid. The authors > thought about this and provided for it. > agreed. portsentry isn't perfect (what is?). but the authors have taken great pains to allow for certain types of breaks. i've been using it for a while now. combined with logcheck and hostsentry, it's a pretty good system. at a minimum, at least i know what's happening on my system. - -- ) ,_),_) (-(__ |_ _ _ |/ ) | |(_)(_ |\ ( \_, ___ | mailto : [EMAIL PROTECTED] | | linux : http://exitwound.org | | mozart : http://mozart.sourceforge.net| | buck : http://www.BuckOwensFan.com | ___ | The day advanced as if to light some work of | | mine; it was morning, and lo! now it is | | evening, and nothing memorable is | | accomplished. -- H.D. Thoreau | ___ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7GUgtr9c0KwefYXMRAs+xAJ48VIYSCmgZk9brdsTA8B0kzi/sBQCeMh9G 0loZrUBVPJqZEtCB5Vwi+20= =9oGB -END PGP SIGNATURE-
Re: Port Sentry
> It is trivial to spoof the source address of a portscan, allowing one to > cause your machine to block access from your nameservers or your clients > or other important sites. While certainly no panacea, portsentry isn't that stupid. The authors thought about this and provided for it. -- John Hasler [EMAIL PROTECTED] (John Hasler) Dancing Horse Hill Elmwood, WI
Re: Port Sentry
On Sat, Jun 02, 2001 at 08:51:46PM +0530, Rajkumar S. wrote: > > Now when portsentry detects a port scan it blocks the ip making the > > scan. > > Is it wise to block an ip just because it did a port scan? > What if s/he spoofs the ip and puts your ip as source address? This is the real problem, and is a very good reason not to block IP addresses based on a portscan. Very few large scale sites do anything of the sort. It is trivial to spoof the source address of a portscan, allowing one to cause your machine to block access from your nameservers or your clients or other important sites. I recommend using ippl or the ipchains/iptables based logging facilities in place of portsentry. They don't necessitate having a service actually listening on unused ports. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpSVupFsiKbz.pgp Description: PGP signature
Re: Port Sentry
On Sat, 2 Jun 2001, Roderick Cummings wrote: > Now when portsentry detects a port scan it blocks the ip making the > scan. I am not an expert in security, but some doubts. Is it wise to block an ip just because it did a port scan? What if s/he spoofs the ip and puts your ip as source address? raj
Re: Port Sentry
hi ya roderick - portsentry is a hostbased detector... - try using snort for port scan detection - if you have a client site and your own facilities... i assume you/they both have firewalls on both ends - you prevent them from playing around in your lan - they prevent you from playing around in their lan - the local firewalls should block the traffic from getting to the other side ... if it doesnt and they wanted to send 1000 pings... their servers would be busy sending the request across the wire/vpn to be dropped at your end after they have successfully tied up your vpn by sending garbage or malicious data to your side of the moat - nothing you can do about people that are allowed to be on the gateway/firewall boxes...that wanna play for fun all other folks wouldnt get pass their local firewall c ya alvin http://www.Linux-Sec.net On Sat, 2 Jun 2001, Roderick Cummings wrote: > I have set up a debian system to act as an intrusion detection system with > portsentry. Now when portsentry detects a port scan it blocks the ip making > the scan. Is there a way to get this information propogated to nearby > routers, etc. It would be interesting to have all traffic to or from the > offending system be rejected. We have a lot of connections to our customers > networks, the thing we worry about is one of their employee trying some kind > of hack or DOS. Thanks.
Port Sentry
I have set up a debian system to act as an intrusion detection system with portsentry. Now when portsentry detects a port scan it blocks the ip making the scan. Is there a way to get this information propogated to nearby routers, etc. It would be interesting to have all traffic to or from the offending system be rejected. We have a lot of connections to our customers networks, the thing we worry about is one of their employee trying some kind of hack or DOS. Thanks. _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: port sentry
There is a (non-free) package for woody: dpkg -s portsentry: Package: portsentry Status: install ok installed Priority: optional Section: non-free/net Installed-Size: 121 Maintainer: Guido Guenther <[EMAIL PROTECTED]> Version: 1.0-1.4 Depends: libc6 (>= 2.1.2), netbase, sysklogd, procps, debconf, debianutils (>= 1.7) Recommends: tcpd Suggests: logcheck [...] -- Michael Hummel mailto: [EMAIL PROTECTED] [EMAIL PROTECTED] -- fprint = F24D EAC6 E3D7 372C 9122 D510 EB24 01CA 0B56 B518 key: http://www.seitung.net/key pgpfIMcD2iVRc.pgp Description: PGP signature
port sentry
Hello Debian Users, Can anyone tell me if they are using port sentry with potato 2.2 to any success? I was hoping that there would be a package *.deb for it soon, but it looks like there is none in the making. Just wondering if this program is difficult to install. Thanks, Debian Ghost.
