RE: [cobalt-users] Is a firewall necessary with a RaQ?

["Wayne Sagar" <shortfork@xxxxxxxxxxx>]

> Our 'out-of-the-box' RAQ4R temporarily blocks an IP address when they
> 'poke' around..like when you get port scanned the IP gets suspended for
> about 60 seconds.

That seems a useful feature but how does it decide that it's not me that is 
opening, say, port 22 for an ssh session?

> I guess the real difference with something like port sentry and IP
> chains is that a permanent rule gets automatically created to block that
> IP, as you mention above.

I remember that portsentry did this but not for open ports and there is 
nothing automatic about ipchains that I know of. As a "for instance" My box 
host has a very annoying feature, they call it a system monitor but my logs 
see it as constant hits on ports that I have set to log attempts/connects on 
(22,23,21 etc) I could not make sense of my normally easy to scan logcheck 
mailings. I finally figured out how to simply block all connects from the ip 
of the monitor and not log them. (but leaving them open with logging for all 
connects other than that IP)

Another example. Today, now fat and happy that I can finally see my logs 
again with some clarity, I see about six attempts in a row from a "european 
internet registry" IP hitting me on my ssh port. I put in a DENY entry for 
that IP and set it to log. Now, if I'm not wrong on the how this works, if 
this IP addy connects to me again on *any* port, I'll see a deny entry. 
Should this IP attempt a connect on a ligit port, I might see my way clear 
to releasing that entry on my chains rules. For now, one IP is blocked 
because the person who was on it tried to connect to me via ssh and did not 
likely have good intentions.

> A useability thought here - if someone is on a dynamic IP address the
> next time they logon (given a fresh IP address) then the firewall would
> cease block the correct person...further an innocent person who may have
> been assigned the original 'now blocked' dynamic IP could not see your
> server and therefore any of or websites!

The odds of that same IP address trying to get to the server on a ligit 
process request, having been given to someone else on a dynamic IP block are 
pretty slim. I'll opt for the safer method and say g'bye to the IP addy. I 
have gotten pretty good at slipping down even pretty long logcheck reports 
though... I suppose if I saw port 80 requests being on the DENY list very 
often I would release that IP again..

I have to admit to some "smug" satisfaction to being able to close them off 
entirely from the system though.

> Is my logic correct here??

Pretty much, with the exception that ipchains does not create blocks 
automatically and portsentry only adds to block list those attempts on ports 
that you have told it to block. Does nothing for open ports that you use 
daily.

WS

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp