[NTLUG:Discuss] How do I teach my firewall to drop

David South Jr djsouth at monolithic.com
Mon Apr 9 12:38:26 CDT 2001 

 >Don't forget the Stealth Kernel Patch..

I'm using IPChains in stealth mode. That is, whenever they try to scan 
port 53 (for example) on my class-C ip range, my firewall will drop 
(DENY) the packets rather than send back a rejection packet (REJECT). 
Except on the two IP addresses where the actual DNS servers exist. I 
have to allow that traffic or else legitimate users can't reach my DNS 
servers.

Here is the problem. I see that port 53 was scanned for an entire range 
of addresses. That means it is a port scan. But the scan does not trip 
my portsentry program (which is running and only listening on the 
firewall). So portsentry doesn't drop all the packets (whatever the 
type) from that offending system.

I need a program, or settings for my existing programs, to understand 
that someone is doing a scan of my DMZ and that it should be stopped.

 >Oh and thanks for the link to grc.com!  I ran the 'probe my ports'
 >test and of course it reported which ports I had open, and which
 >ports I had stealthed..(thanks to the stealth patch) Ok.

Your welcome. grc.com is great.

 >I read this tidbit on the results of my scan.  (talking about the
 >IDENT port: "Only the latest, highest technology, adaptive firewalls
 >are smart enough to stealth this port against random probes while
 >showing it closed to queries from valid servers.")

Ident (pidentd) shows the user-name of the port connections and reports 
that back to the other system. It is not really necessary for the system 
and is something I'm not even running.

 >So, two questions:
 >1) should ident be closed?

Yes, I think you should stop running Ident and drop (DENY) the packets. 
Of course, if someone can give me an example as to why I should run 
Ident, I'd love to hear it.

 >2) Does Linux have the ability to make an open port APPEAR stealthed to
 >a scan, while allowing valid traffic to pass? (wouldn't stateful
 >filtering be involved in an operation like that?)

Actually, this is exactly what I'm trying to do. Port scans of the IP 
range should show who is trying to hack the system. I want to drop those 
people so they can't even reach my real servers.

On a single box with a single static IP, I think that stateful filtering 
with IPTables on the new kernel will probably fit the bill. Keep in mind 
that stateful filtering requires a lot more resources because the 
computer must keep track of every connection individually.

Anybody else have suggestions?

DJ

More information about the Discuss mailing list