Re: checking security logs

To: David Duffey <email@davidduffey.com>
Cc: "Gord Mc . Pherson" <gordzilla@linuxfan.com>, debian-security@lists.debian.org
Subject: Re: checking security logs
From: Bradley M Alexander <storm@tux.org>
Date: Tue, 23 Jan 2001 23:18:38 -0500
Message-id: <[🔎] 20010123231838.B773@orinoko>
In-reply-to: <[🔎] 20010123171924.A4014@davidduffey.com>; from email@davidduffey.com on Tue, Jan 23, 2001 at 05:19:24PM -0600
References: <l03130301b692e85f727f@[172.16.1.4]> <[🔎] 20010123090130.B9385@davidduffey.com> <[🔎] 87k87me0vt.fsf@winter.inter-i.uni-mainz.de> <[🔎] 20010123114528.0be27e6a.gordzilla@linuxfan.com> <[🔎] 20010123171924.A4014@davidduffey.com>

On Tue, Jan 23, 2001 at 05:19:24PM -0600, David Duffey wrote:
> On Tue, Jan 23, 2001 at 11:45:28AM -0500, Gord Mc . Pherson wrote:
> >   I'd also concur with a previous comment about 'portsentry', since it's possible to spoof an address and have portsentry block it.. it there for becomes an effective tool for a hacker to use as a DoS. For example, I could find out what your ISP's DNS servers are, spoof those addresses and have your portsentry block them. This would cut you off from the net until you manually corrected it.
> 
> Actually that will not happen to me, or anyone else installing the debian portsenty
> package because that is NOT the way that debian ships portsentry by default, and there
> is even a comment about spoofing in the portsentry config file:
> 
> # I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
> # AGAINST THE HOST SCANNING YOU. TCP/IP is an *unauthenticated protocol*
> # and people can make scans appear out of thin air. The only time it
> # is reasonably safe (and I *never* think it is reasonable) to run
> # reverse probe scripts is when using the "classic" -tcp mode.

I agree with this point too.

> granted this is in the section talking about the KILL_RUN_CMD, but it's pretty
> obvious that this applies to other KILL_.*_CMDs also.
> 
> The only thing I use portsentry for is for information gathering, and that, is the
> most important aspect of a securing a system (knowledge of the system). My "real"
> security is in a less-dynamic way through rp_filter, ipchains, tcp-wrappers and
> chroot'ed environments.
> 
> I only recommened portsentry as an informational tool (as the original poster requested)

And if the license for portsentry is an issue, you could also consider
scandetd, which is a portscan detector released under the GPL.

-- 
--Brad
============================================================================
Bradley M. Alexander, CISSP              |   Co-Chairman,
Beowulf System Admin/Security Specialist |    NoVALUG/DCLUG Security SIG
Winstar Telecom                          |   balexander@winstar.com
(703) 889-1049                           |   storm@tux.org
============================================================================
Time is what keeps everything from happening to us all at once.

Attachment: pgp3RLKiJN9Kj.pgp
Description: PGP signature

Reply to:

References:
- checking security logs
  - From: John Reinke <jmreinke@ukans.edu>
- Re: checking security logs
  - From: David Duffey <email@davidduffey.com>
- Re: checking security logs
  - From: Rainer Weikusat <weikusat@mail.uni-mainz.de>
- Re: checking security logs
  - From: Gord Mc.Pherson <gordzilla@linuxfan.com>
- Re: checking security logs
  - From: David Duffey <email@davidduffey.com>

Prev by Date: Re: checking security logs
Next by Date: Re: Strange logs for connection
Previous by thread: Re: checking security logs
Next by thread: Re: checking security logs
Index(es):
- Date
- Thread