[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Portsentry again
- Subject: Re: [cobalt-users] Portsentry again
- From: flash22@xxxxxxx
- Date: Tue Jun 5 16:13:01 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Wed, 6 Jun 2001, Zarrir Junior wrote:
> I was searching the archives regarding hosts.deny growing too quick
> internet in general. This is just script kiddie behavior... kids who scan
> ports 111 and 137-9 are looking for common vulnerabilities on unix and
...
> I have never messed with port 111 on my rack so i guess it has never
> been used. Is it that simple, i mean could i just uncomment port 111 in the
> portsentry.conf file? Why then do they keep on insisting on this port?
Yes, providing you are certain you aren't listening on it (if you don't
have NFS setup you probably aren't listening on 111)
There is little benefit in listening to port 137, you will just see
garbage on it, if you get a real SYN attack on this port the kernel will
tell you about it anyhow...
They keep trying because:
a) They don't tell each other they already tried
b) The various worms come preconfigured for certain blocks of ip addresses
and test them autmaticlly, so every time a machine gets a worm it will
test the same ip addresses
c) Kiddie haqqers aren't terrably bright, it rarely occurs to them that
several thousand other kiddies have already scanned the same ip addresses
(on the other hand, sometimes they get lucky, someone puts up a new
machine, changes the software, etc)
> I also examined my hosts.deny file and i found, among 200 listed ips, one
> ip which is repeated 20 times in 20 consecutive lines. How can that happen
> if it should have been instantly blocked since the first scan?
200 isn't that much, it's 800 bytes of memory, less than 1k ;)
One way you can make it smaller, if it bugs you, is to combine consecutive
addresses, but i'd also tend to remove old IP's from time to time, they
are sometimes obsoleted (people do fix rooted machines you know), and
portsentry will add a IP regardless of if it's a static ip or a dynamic
dialup ip,it doesn't know, in the later case, listing it is totally
pointless after a day or so)
You can occasionally get duplicates because multiple addresses get scanned
very fast, and portsentry doesn't block the address before the next packet
from the same address, but to a different interface arrives, so it can,
occasionally duplicate....(it's what us poor slob programmers call a
'window of uncertainty' ;)
One last
> question:
> Is it wise to include all my virtual sites ips to portsentry.ignore file
> or it does not matter if i dont?
It's Very IMPORTANT that all your own IP's be in the ignore file, if you
don't do this you can end up derouting yourself if you are subject to a
kind of address spoofing attack...
eg, a packet arrives claiming to be 'from' your own IP address, portsentry
then happily does "route add -reject" on it, poof , that interface doesn't
work anymore ;)
How probably this is depends on what mode portsentry is in, and how good
the inbound filtering from your ISP is (eg, they in theory, shouldn't be
routing you packets from yourself ;)
Don't forget also to include the >gateway< ip address also...(the IP your
machine sends to at your ISP , usually one less than the IP address of
your lowest listening IP address, but you may have multiple addresses
capable of being gateways if you have non-contiguous IP blocks into the
machine)
eek...i'm writing a book...stop already...:>
gsh