[NTLUG:Discuss] How do I teach my firewall to drop Script-Kiddies

Richard Geoffrion richard at rain.lewisville.tx.us
Sat Apr 7 23:04:16 CDT 2001 

[FROM A PREVIOUS POST]
 Nice post!

Don't forget the Stealth Kernel Patch..

http://freshmeat.net/projects/stealthpatch/?highlight=stealth+kernel+patch
http://www.energymech.net/madcamel/fm/

 And Port Sentry:
http://www.psionic.com/download/
[/FROM A PREVIOUS POST]

Oh and thanks for the link to grc.com!  I ran the 'probe my ports' test and
of course it reported which ports I had open, and which ports I had
stealthed..(thanks to the stealth patch) Ok.

I read this tidbit on the results of my scan.  (talking about the IDENT
port: "Only the latest, highest technology, adaptive firewalls are smart
enough to stealth this port against random probes while showing it closed to
queries from valid servers.")

So, two questions:
1) should ident be closed?
2) Does Linux have the ability to make an open port APPEAR stealthed to a
scan, while allowing valid traffic to pass? (wouldn't stateful filtering be
involved in an operation like that?)

----- Original Message -----
From: "David South Jr" <djsouth at monolithic.com>
To: <discuss at ntlug.org>
Sent: Saturday, April 07, 2001 12:38 PM
Subject: [NTLUG:Discuss] How do I teach my firewall to drop Script-Kiddies


> I have a question about firewalls and how to stop script-kiddies in
> their tracks.
>
> At work I run a system like this:
>
> Internet --> Router --> Firewall --> DMZ Servers --> Proxy --> LAN
>
> The Firewall, DMZ Servers, and Proxy server are all running Red Hat 7.0.
> Only the essential programs necessary for each server are loaded on the
> machines. No client software, no GUI, nothing but the essential daemons.
>
> The Firewall is running IPChains for packet filtering with portsentry
> and tripwire to help prevent tampering with the firewall. Our assigned
> ClassC is subnetted for the DMZ.
>
> In other words, the DMZ servers all have Internet addressable IPs. The
> Proxy is a full NAT for the internal LAN running on a Private IP range.
>
> Every day, every hour even, my network is probed. Most often the probes
> run through the entire DMZ range of IPs trying to reach port 53 (DNS),
> 111 (Sun RPC portmapper), 25 (SMTP), 21 (FTP), etc.
>
> Obviously I do have two machines (for example) in the DMZ running name
> servers on port 53. These machines are undoutably found by the person
> running the scan. But I know that these people shouldn't be allowed to
> access these servers. Yet, because the firewall itself is not being
> attacked, portsentry does not drop these IP addresses from being passed
on.
>
> I need a method of teaching the Firewall to recognize these rejected
> sequences as hacks and to put them on a blocked list.
>
> Anybody have suggestions.
>
> Thanks,
>
> DJ
>
>
> PS - I received so many port 137 (windows share) scans that I finally
> just dropped them entirely at the router. Otherwise, my firewall logs
> would fill completely with these scans. If you are running a windows
> machine on the net, please double check your security at www.grc.com,
> these kids will find you if you don't.
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list