[NTLUG:Discuss] How do I teach my firewall to drop
Michael H. Collins
mhtexcollins at austin.rr.com
Mon Apr 9 21:47:58 CDT 2001
conectiva rox <grin>
David South Jr wrote:
> >Don't forget the Stealth Kernel Patch..
>
> I'm using IPChains in stealth mode. That is, whenever they try to scan
> port 53 (for example) on my class-C ip range, my firewall will drop
> (DENY) the packets rather than send back a rejection packet (REJECT).
> Except on the two IP addresses where the actual DNS servers exist. I
> have to allow that traffic or else legitimate users can't reach my DNS
> servers.
>
> Here is the problem. I see that port 53 was scanned for an entire range
> of addresses. That means it is a port scan. But the scan does not trip
> my portsentry program (which is running and only listening on the
> firewall). So portsentry doesn't drop all the packets (whatever the
> type) from that offending system.
>
> I need a program, or settings for my existing programs, to understand
> that someone is doing a scan of my DMZ and that it should be stopped.
>
> >Oh and thanks for the link to grc.com! I ran the 'probe my ports'
> >test and of course it reported which ports I had open, and which
> >ports I had stealthed..(thanks to the stealth patch) Ok.
>
> Your welcome. grc.com is great.
>
> >I read this tidbit on the results of my scan. (talking about the
> >IDENT port: "Only the latest, highest technology, adaptive firewalls
> >are smart enough to stealth this port against random probes while
> >showing it closed to queries from valid servers.")
>
> Ident (pidentd) shows the user-name of the port connections and reports
> that back to the other system. It is not really necessary for the system
> and is something I'm not even running.
>
> >So, two questions:
> >1) should ident be closed?
>
> Yes, I think you should stop running Ident and drop (DENY) the packets.
> Of course, if someone can give me an example as to why I should run
> Ident, I'd love to hear it.
>
> >2) Does Linux have the ability to make an open port APPEAR stealthed to
> >a scan, while allowing valid traffic to pass? (wouldn't stateful
> >filtering be involved in an operation like that?)
>
> Actually, this is exactly what I'm trying to do. Port scans of the IP
> range should show who is trying to hack the system. I want to drop those
> people so they can't even reach my real servers.
>
> On a single box with a single static IP, I think that stateful filtering
> with IPTables on the new kernel will probably fit the bill. Keep in mind
> that stateful filtering requires a lot more resources because the
> computer must keep track of every connection individually.
>
> Anybody else have suggestions?
>
> DJ
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
--
Michael H. Collins http://www.linuxlink.com
Admiral Penguinista Navy International
This ain't California http://www.geekaustin.org
Speech Enabled Chat http://phphreaks.net/bxspeak/
*Ask me about Plan 9*
More information about the Discuss
mailing list