[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)

On 29 Jan 2001, Rainer Weikusat wrote:

> thomas lakofski <thomas@88.net> writes:
> > Tim Haynes wrote:
> > Script kiddies generally don't know what's happened to them when
> > portsentry triggers, and go looking for easier fodder
>
> Random garbage traveling across the 'net is exactly this: Random
> garbage.

ok, and?

[snip]

> A nice remote DoS:
> --------------------
> while true;
> do
>     isdnctrl dial ippp0
>     nc -v -z <your.ip> <port>
>     isdnctrl hangup ippp0
> done
> --------------------
>
> If I suffer from dynamic IP allocations, you would be blocking
> hundreds of IPs within a comparatively short amount of time (~ 3-5
> seconds per IP). This will keep your machine quite busy and will block
> entirely legitimate accesses to the services you talk of below from
> people who happen get said IPs next.

I think the machine can manage to handle executing a command every three
seconds.  I'd get an idea this was occurring within an hour as logcheck mails
me if portsentry goes off.  So, maybe a thousand random dialup IPs can't reach
my machine.  Since a potential attacker doesn't know where I do business, the
chances of this affecting me are slim to slimmer than that.

> > If they're actually out to exploit the hole
>
> Why do you worry about holes in programs you don't even run?

I'm not worried about holes in programs I don't even run.  I'm interested in
detecting, and taking action against, actions which appear to be suspicious.

> No one can attack you with a portmapper-exploit if there's no portmapper
> to talk to.

I realise this.

> > When using software like this it's assumed that you have a good idea
> > of what is happening on the box.
>
> If I know what's happening on the box, I don't need a tool like this,
> as I don't run any services except those I intend to, with the latter
> ones being reasonably configured.

I still want to detect behaviour indicative of an attack and take action.

> > I don't have it trigger as a result of anything other than a full
> > TCP connect.
>
> see above
>
> > I have a default-deny firewall with portsentry.
>
> Consider a default-REJECT firewall. This is a lot nicer to others.

Until someone uses it as a mirror for a denial of service attack.  Legitimate
traffic will never have any problems.

> > There are only around 5 valid services on the box,
>
> So these are to ones to worry about.
>
> > and about 30 fake ports wired up to portsentry.
>
> So you deliberately open up thirty ports without any real need to do
> so to get *what*?

To detect certain kinds of behaviours and take appropriate actions, that's all.

> Why not simply close them and be done with it?

see above

> > People who have valid business on the box never run into trouble,
>
> They will, as demonstrated above.

Unlikely; at least, it hasn't happened in the last 3 or so years.

cheers,

-thomas

-- 
          who's watching your watchmen?
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4  F053 4AE5 01DF 81FD 4B43
Reply to: