[lug] Interesting Crash Report
John Hernandez
John.Hernandez at noaa.gov
Wed Mar 21 10:31:49 MST 2001
The netfilter packet mangler for kernel 2.4 has a facility to selectively queue packets and send them up to userspace. Perhaps the libipq API could be leveraged to produce a rule on-the-fly, having the same effect as portsentry.
"D. Stimits" wrote:
>
> Deva Samartha wrote:
> >
> > Well, I tried postsentry (before I posted the question) - but since it's
> > behind the firewall (on the firewall machine) and the 111 get blocked
> > anyway - (and logged, me seeing the bloody portscans), portsentry does not
> > even get to see the access since it's filtered out by the kernel.
> >
> > The ability to block an IP automatically for every access after the first
> > attempt based on some rules is something I am looking for. Maybe ipchains
> > can do it with a separate chain but I have not looked into it.
> >
> > portsentry is from www.psionic.com, their hostsentry looks good too.
> >
> > other than that - it's similar to what D. Stimits does - looking at the
> > firewall log and running a script to block an IP. But with this method - I
> > am pretty sure to miss exactly the 3 minutes when somebody attempts
> > something and succeeds.
> >
> > All my 111 accesses are portscans running in sequence through all my IP
> > numbers within fractions of a second and I bet that if somebody succeeds,
> > they paste and run scripts in fractions of seconds too. I would think that
> > having a working tool which adds rules to the firewall on the fly could be
> > helpful.
> >
> > Tailing the firewall and grepping on the port does not do the trick since
> > the whole event of scanning happens within a second and shellscript sleeps
> > shortest period is one second.
>
> Maybe what is needed is a daemon that continuously scans the logs,
> similar to tail -f, but runs triggers based on regular expressions. The
> danger here is that probably you would have to run the daemon suid;
> optionally, sudo could allow ipchain appends. Don't know of any such
> application, but probably something like tkexpect could be used to
> create something basic.
>
> >
> > At 07:18 PM 3/20/2001 -0700, you wrote:
> > >portsentry should take care of that for you. www.abacus.com (I believe)
> > >
> > >Deva Samartha wrote:
> > >
> > > > > I've denied about two dozen
> > > > >/24 domains just because I dislike seeing anything hit port 111 (the
> > > > >first packet gets them blocked).
> > > >
> > > > That's really neat, if possible, would you mind sharing how you do that -
> > > > or name the software packages you use?
> > > >
> > > > Thanks,
> > > >
> > > > Samartha
> > > >
> >
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list