[lug] Interesting Crash Report
Deva Samartha
blug-receive at mtbwr.net
Tue Mar 20 21:20:25 MST 2001
Well, I tried postsentry (before I posted the question) - but since it's
behind the firewall (on the firewall machine) and the 111 get blocked
anyway - (and logged, me seeing the bloody portscans), portsentry does not
even get to see the access since it's filtered out by the kernel.
The ability to block an IP automatically for every access after the first
attempt based on some rules is something I am looking for. Maybe ipchains
can do it with a separate chain but I have not looked into it.
portsentry is from www.psionic.com, their hostsentry looks good too.
other than that - it's similar to what D. Stimits does - looking at the
firewall log and running a script to block an IP. But with this method - I
am pretty sure to miss exactly the 3 minutes when somebody attempts
something and succeeds.
All my 111 accesses are portscans running in sequence through all my IP
numbers within fractions of a second and I bet that if somebody succeeds,
they paste and run scripts in fractions of seconds too. I would think that
having a working tool which adds rules to the firewall on the fly could be
helpful.
Tailing the firewall and grepping on the port does not do the trick since
the whole event of scanning happens within a second and shellscript sleeps
shortest period is one second.
At 07:18 PM 3/20/2001 -0700, you wrote:
>portsentry should take care of that for you. www.abacus.com (I believe)
>
>Deva Samartha wrote:
>
> > > I've denied about two dozen
> > >/24 domains just because I dislike seeing anything hit port 111 (the
> > >first packet gets them blocked).
> >
> > That's really neat, if possible, would you mind sharing how you do that -
> > or name the software packages you use?
> >
> > Thanks,
> >
> > Samartha
> >
More information about the LUG
mailing list