Re: Security....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2004-10-27 at 18:09 +0300, Andrey Andreev wrote:
> How about setting portsentry to block IPs (temporarily) after 10 or so 
> attempts? Can it do that (I kind of think so)?
> 

No. Portsentry can only bind to ports on which there is not already
another program listening, so it cannot bind to 22. What I did do with
Portsentry is combine it with Shorewall to somewhat reduce hostile
probes, roughly this way:

 1. Create a set of "hostile" ports. These are ports which no sane and
normal person would *ever* use on your box, and where you are prepared
to drop someone off the face of the Earth for even looking at them. For
instance, on my commercial webserver I would never expose portmap (111)
to the Internet, nor should anyone ever attempt to print to that box (it
being in a locked cabinet 1,500 miles away). So my list of hostile ports
for that box includes 111 and 515 (and 23, 1080, 8080, 12345, mssql,
etc., all ports that should never, ever, *ever* be poked).

 2. Use Shorewall to firewall the box, and create REDIRECT rules in the 
firewall to move all such traffic to a single port (on my box, 49999).
This limits exposure to potential risks, since *if* I somehow messed up
and actually activated portmap it would still not get any requests from
outside... all outside requests for tcp/111 would go to tcp/49999.

 3. Create a script which calls Shorewall's blacklisting functionality
(given an IP address) and drops this IP address into a black hole. The
script also schedules an "at" job for X days (in my case, 2 days) later
to remove that restriction. You don't want to keep blocking everything
forever since your block list gets huge and most IP's that get blocked
are going to be dial-up anyway.

 4. Configure Portsentry with a hair trigger: any IP that sends even a
single packet to port 49999 gets instantly black-holed with the script
from Step 3.

The result is that I generally have 15-20 hosts blocked at any one time,
and that most script kiddies who reach my system poke a hostile port
while looking for the most common exploits. The number of attacks has
gone way down, and the kiddie who sets off Shorewall/Portsentry has to
wait another two days to try to test my SSH port. In reality, most
simply move on.

I love it.

-- 
Rodolfo J. Paiz <rpaiz@xxxxxxxxxxxxxx>

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux