[lug] Interesting Crash Report

D. Stimits stimits at idcomm.com
Tue Mar 20 21:44:20 MST 2001 

Deva Samartha wrote:
> 
> Well, I tried postsentry (before I posted the question) - but since it's
> behind the firewall (on the firewall machine) and the 111 get blocked
> anyway - (and logged, me seeing the bloody portscans), portsentry does not
> even get to see the access since it's filtered out by the kernel.
> 
> The ability to block an IP automatically for every access after the first
> attempt based on some rules is something I am looking for. Maybe ipchains
> can do it with a separate chain but I have not looked into it.
> 
> portsentry is from www.psionic.com, their hostsentry looks good too.
> 
> other than that - it's similar to what D. Stimits does - looking at the
> firewall log and running a script to block an IP. But with this method - I
> am pretty sure to miss exactly the 3 minutes when somebody attempts
> something and succeeds.
> 
> All my 111 accesses are portscans running in sequence through all my IP
> numbers within fractions of a second and I bet that if somebody succeeds,
> they paste and run scripts in fractions of seconds too. I would think that
> having a working tool which adds rules to the firewall on the fly could be
> helpful.
> 
> Tailing the firewall and grepping on the port does not do the trick since
> the whole event of scanning happens within a second and shellscript sleeps
> shortest period is one second.

Maybe what is needed is a daemon that continuously scans the logs,
similar to tail -f, but runs triggers based on regular expressions. The
danger here is that probably you would have to run the daemon suid;
optionally, sudo could allow ipchain appends. Don't know of any such
application, but probably something like tkexpect could be used to
create something basic.

> 
> At 07:18 PM 3/20/2001 -0700, you wrote:
> >portsentry should take care of that for you. www.abacus.com (I believe)
> >
> >Deva Samartha wrote:
> >
> > > >  I've denied about two dozen
> > > >/24 domains just because I dislike seeing anything hit port 111 (the
> > > >first packet gets them blocked).
> > >
> > > That's really neat, if possible, would you mind sharing how you do that -
> > > or name the software packages you use?
> > >
> > > Thanks,
> > >
> > > Samartha
> > >
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list