Re: stoping net scans

To: debian-firewall@lists.debian.org
Cc: Sêrêciya Kurdistanî <sereciya@kurdistan.ath.cx>
Subject: Re: stoping net scans
From: José A. Guzmán <jose@iteso.mx>
Date: Sat, 12 Apr 2003 13:07:17 -0500
Message-id: <[🔎] 1050170837.3e9855d5c73f4@correo.iteso.mx>
In-reply-to: <[🔎] 20030412172810.GA99027@kurdistan.ath.cx>
References: <[🔎] 1050166210.3e9843c2cf485@correo.iteso.mx> <[🔎] 20030412172810.GA99027@kurdistan.ath.cx>

Mensaje citado por Sêrêciya Kurdistanî <sereciya@kurdistan.ath.cx>:

> Hello,
> 
> On Sat, Apr 12, 2003 at 11:50:10AM -0500, Jos? A. Guzm?n wrote:
> >  Is there a tool (log monitoring or otherwise) that effectively blocks
> incoming
> > port scans (maybe interacting with iptables)?.
> 
>   A properly configured firewall.
>  
> >  What are you guys using to block incoming port scans?
> 
>   See above.  
> 
>   The best thing to do is to set up a "statefull" firewall,
>   meaning, any outgoing packet originating from you will be
>   allowed back in (ie also known as "reflexive" rules).
> 
>   I regret that I don't have any examples on hand, good luck ;)
>  


    I currently have configured an iptables firewall (-m state) allowing
incoming established connections only and inbound connections to active/intended
ports on designated servers, but my net gets attempted scans several times a
day, and increasing every week.

  Wouldn´t it be easier on the firewall to drop traffic on scanners as soon as
they are detected, than having every packet parsed through every rule on the
firewall box until it reaches the -P DROP ?

 On the other hand, I had not considered Bernd´s advice on the denial of service
possibility opened by blocking incoming port scans of forged IPs; is this DoS a
common practice? 

 What do you guys have experienced?


> -- 
> +--------------------------------------------------------------+
> | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî  |
> |   Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me      |
> |     nêzîk e.                                                 |
> |                                                              |
> | Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin      |
> |   Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan     |
> |     kesên xwînperest, ne jî ji yên din.                      |
> |                                                              |
> |                                   -Sêrêciya Kurdistanî       |
> +--------------------------------------------------------------+
>   translation provided on request: sereciya@kurdistan.ath.cx
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 


-- 
José

department of redundancy department

---

Reply to:

References:
- stoping net scans
  - From: José A. Guzmán <jose@iteso.mx>
- Re: stoping net scans
  - From: =?unknown-8bit?q?S=EAr=EAciya_Kurdistan=EE?= <sereciya@kurdistan.ath.cx>

Prev by Date: Re: stoping net scans
Next by Date: how to setup the firewall init script...
Previous by thread: Re: stoping net scans
Next by thread: Re: stoping net scans
Index(es):
- Date
- Thread