[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Question on SHP

Subject: Re: [cobalt-users] Question on SHP
From: "Rick Ewart" <cobalt@xxxxxxxxx>
Date: Fri Oct 11 05:48:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> Like a lot of us, I installed the Cobalt SHP package before they pulled it
> so I haven't touched it. I see that it is working as I get at least 2 or 3
> port scans a day and being notified by email.
>
> eth0:portscan: tcp xx.xx.xx.xx/27374 -> 61.96.29.56/2787 40 rst (30)
>
> My current config for SHP is 'log and block' which it is doing, I think
once
> it detects the portscan it locks them out for 5 minutes.
I think the discussion and the issue was that this could cause a DOS
situation, especially if I were to spoof the IPs of the Root servers on the
Net and you blocked them. Also, I seem to recall an overflow issue or
something.

Bottom line, I think the proper thing to do was disable it and set it for
"do nothing".

> The question is, once I'm notified, does SHP add them to a data file in
the
> event they try to portscan again, there blocked, or do I have to add them
to
> the GUI manually?
Not on a permanent basis, as that would defeat the purpose of only blocking
them for 5 minutes. If you want to permanently disable scanners, I would
recommend you trace each IP back before adding them permanently so that you
don't inadvertently block a root server or some other important server that
might cause DOS issues.

HTH,
Rick

References:
- [cobalt-users] Question on SHP
  - From: Bob G7

Prev by Date: Re: [cobalt-users] RaQ3 Apache Upgrade - Bassi Instructions
Next by Date: Re: [cobalt-users] help with logcheck entries
Previous by thread: [cobalt-users] Question on SHP
Next by thread: [cobalt-users] More reverse DNS issues.

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index