[NTLUG:Discuss] How do I teach my firewall to drop

Michael H. Collins mhtexcollins at austin.rr.com
Mon Apr 9 21:47:58 CDT 2001 

conectiva rox  <grin>

David South Jr wrote:

>  >Don't forget the Stealth Kernel Patch..
> 
> I'm using IPChains in stealth mode. That is, whenever they try to scan 
> port 53 (for example) on my class-C ip range, my firewall will drop 
> (DENY) the packets rather than send back a rejection packet (REJECT). 
> Except on the two IP addresses where the actual DNS servers exist. I 
> have to allow that traffic or else legitimate users can't reach my DNS 
> servers.
> 
> Here is the problem. I see that port 53 was scanned for an entire range 
> of addresses. That means it is a port scan. But the scan does not trip 
> my portsentry program (which is running and only listening on the 
> firewall). So portsentry doesn't drop all the packets (whatever the 
> type) from that offending system.
> 
> I need a program, or settings for my existing programs, to understand 
> that someone is doing a scan of my DMZ and that it should be stopped.
> 
>  >Oh and thanks for the link to grc.com!  I ran the 'probe my ports'
>  >test and of course it reported which ports I had open, and which
>  >ports I had stealthed..(thanks to the stealth patch) Ok.
> 
> Your welcome. grc.com is great.
> 
>  >I read this tidbit on the results of my scan.  (talking about the
>  >IDENT port: "Only the latest, highest technology, adaptive firewalls
>  >are smart enough to stealth this port against random probes while
>  >showing it closed to queries from valid servers.")
> 
> Ident (pidentd) shows the user-name of the port connections and reports 
> that back to the other system. It is not really necessary for the system 
> and is something I'm not even running.
> 
>  >So, two questions:
>  >1) should ident be closed?
> 
> Yes, I think you should stop running Ident and drop (DENY) the packets. 
> Of course, if someone can give me an example as to why I should run 
> Ident, I'd love to hear it.
> 
>  >2) Does Linux have the ability to make an open port APPEAR stealthed to
>  >a scan, while allowing valid traffic to pass? (wouldn't stateful
>  >filtering be involved in an operation like that?)
> 
> Actually, this is exactly what I'm trying to do. Port scans of the IP 
> range should show who is trying to hack the system. I want to drop those 
> people so they can't even reach my real servers.
> 
> On a single box with a single static IP, I think that stateful filtering 
> with IPTables on the new kernel will probably fit the bill. Keep in mind 
> that stateful filtering requires a lot more resources because the 
> computer must keep track of every connection individually.
> 
> Anybody else have suggestions?
> 
> DJ
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss


-- 
Michael H. Collins              http://www.linuxlink.com
Admiral                         Penguinista Navy International
This ain't California           http://www.geekaustin.org
Speech Enabled Chat             http://phphreaks.net/bxspeak/
         *Ask me about Plan 9*

More information about the Discuss mailing list