Re: Active Snort Log Analyser
Hi!
> Those FireWalls *are* secure today but as I managed many FireWalls and don't
> have time to upgrade them to the latest software more than once a year, I'm
> quite afraid of new holes being found in proftpd or sendmail (examples).
>
> The customers who use those FireWall need FTP, Mail and whatever other services
> on those FireWalls (one could say these are no more FireWalls...). For some
> evident financial reasons, they don't want to split into different servers.
>
> Tonight, snort reported me someone from malaysia portscanned my subnet and then
> tried to exploit a bug in ProFTPD. Happily, the version of ProFTPD shipping
> with Debian 2.2 seems secure but for how long ?
> So did I thought it would be wise to deny this intruder to go further than the
> scan.
I see your point, but it doesn't change the problem. Once one of the many
bugs in any big piece of c code is commonly known, there is no way to secure
your system short of removing access to this software. If you only block a
portscanner and even only do it for some short time, you gain nothing.
When I browse through my log files, I usually don't even see any portscans
at all. It seems, as if no one will scan for open ports on a single computer
anymore. They scan for open computers on a single port instead. They have an
exploit for e.g. an old bind and scan thousands of computers for an open
port 53 and then go on figuring out, if their exploit would work. Now, if
you have an old bind open to the internet, you will not notice the portscan,
since only one port is scanned on your machine an this one packet will not
even be logged.
So you should not bother to detect portscans. Save your time and effort -
setting up another system as a real firewall is cheaper in both.
Jörn
Reply to: