[NTLUG:Discuss] How do I teach my firewall to drop Script-Kiddies

[David South Jr]

I have a question about firewalls and how to stop script-kiddies in 
their tracks.

At work I run a system like this:

Internet --> Router --> Firewall --> DMZ Servers --> Proxy --> LAN

The Firewall, DMZ Servers, and Proxy server are all running Red Hat 7.0. 
Only the essential programs necessary for each server are loaded on the 
machines. No client software, no GUI, nothing but the essential daemons.

The Firewall is running IPChains for packet filtering with portsentry 
and tripwire to help prevent tampering with the firewall. Our assigned 
ClassC is subnetted for the DMZ.

In other words, the DMZ servers all have Internet addressable IPs. The 
Proxy is a full NAT for the internal LAN running on a Private IP range.

Every day, every hour even, my network is probed. Most often the probes 
run through the entire DMZ range of IPs trying to reach port 53 (DNS), 
111 (Sun RPC portmapper), 25 (SMTP), 21 (FTP), etc.

Obviously I do have two machines (for example) in the DMZ running name 
servers on port 53. These machines are undoutably found by the person 
running the scan. But I know that these people shouldn't be allowed to 
access these servers. Yet, because the firewall itself is not being 
attacked, portsentry does not drop these IP addresses from being passed on.

I need a method of teaching the Firewall to recognize these rejected 
sequences as hacks and to put them on a blocked list.

Anybody have suggestions.

Thanks,

DJ


PS - I received so many port 137 (windows share) scans that I finally 
just dropped them entirely at the router. Otherwise, my firewall logs 
would fill completely with these scans. If you are running a windows 
machine on the net, please double check your security at www.grc.com, 
these kids will find you if you don't.