Say you access your colocated RaQ from your home computer that has an IP of 209.209.209.209. If you do not add 209.209.209.209 IP address to the portsentry.ignore file located on your RaQ, your IP address can be spoofed by someone to do a scan on your box and BAM! You're denied access to your RaQ from your home computer. Of course, you can also screw yourself should you "accidentally" attempt a connection to a monitored port. You must be certain to add the IP addresses of any computer you use (home, work, buddy's house) to access your RaQ to the portsentry.ignore file. Of course, the perpetrator has to know that you are running Portsentry in order to do this to you in the first place, so rather than using the PORT_BANNER= option to display a warning that the connection has been dropped by Portsentry, you should just kill the route and use DENY to route all subsequent packets into the ether. This way, all the evil scanner-type person will be able to see after the initial "CONNECTION REFUSED" is what will look to them like your server "fell off" the Internet. Until you unfirewall the IP address and restart Portsentry they will not have any access to your server whatsoever.. no mail, web, ping, nothing. Anyway, before implementing this or any software into your production environment, test it out on a non-critical or test server first. If you implement something that you don't know how to use, chances are that you will be bitten either by the software, or by someone who *does* know how to use it ;^) Brandon Wheaton UNIX Systems Engineer ValiCert, Inc. 1215 Terra Bella Ave. Mountain View, CA 94043 650.567.5430 ---- Computers are useless; they can only provide answers. ~Pablo Picasso -----Original Message----- From: Theodore Jones [mailto:theoj@xxxxxxxxxxxxx] Sent: Tuesday, June 27, 2000 4:29 PM To: cobalt-users@xxxxxxxxxxxxxxx Subject: Re: [cobalt-users] installing ssh on raq2 I >have< it installed, but have experienced no problems as of yet (except for catching port-scanners who get, booted, but that's the point...), so I'd like to know how it could be exploited. I assume the attackers would have to some how figure out that portsentry is running in the first place also.. ~ Theo Mike Vanecek wrote: > On Tue, 27 Jun 2000 12:25:07 -0700, Theodore Jones <theoj@xxxxxxxxxxxxx> > wrote: > > :>Hans, > :> > :>Care to tell me how "they" could use Portsentry again a machine? Answer my > :>off-list if you care to... > > I'd like to know too. I have using ipfilters but would like to know the danger > of installing Portsentry. > > :> > :>> Chuck schrieb: > :>> > If you are like me: not a real hacker, you're better off protecting your > :>> > box with IP chains and TCP wrappers instead of the solution with > :>> > Portsentry suggested earlyer in a thread. Using Portsentry if you don't > :>> > fully understand it it's like carrying a gun without knowing how to use > :>> > it: attackers will use your own weapon against you. > :>> > :>> if you use portsentry or ipchains, you have to know what you`re doing in > :>> both cases; in my opinion even more if you use firewalling > > _______________________________________________ > cobalt-users mailing list > cobalt-users@xxxxxxxxxxxxxxx > To Subscribe or Unsubscribe, please go to: > http://list.cobalt.com/mailman/listinfo/cobalt-users _______________________________________________ cobalt-users mailing list cobalt-users@xxxxxxxxxxxxxxx To Subscribe or Unsubscribe, please go to: http://list.cobalt.com/mailman/listinfo/cobalt-users
Attachment:
smime.p7s
Description: S/MIME cryptographic signature