Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)

To: debian-security@lists.debian.org
Subject: Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
From: Rainer Weikusat <weikusat@mail.uni-mainz.de>
Date: 29 Jan 2001 18:54:19 +0100
Message-id: <[🔎] 87d7d6b5x0.fsf@winter.inter-i.uni-mainz.de>
In-reply-to: thomas lakofski's message of "Mon, 29 Jan 2001 13:59:38 +0000 (GMT)"
References: <[🔎] Pine.LNX.4.31.0101291344140.13703-100000@io.88.net>

thomas lakofski <thomas@88.net> writes:
> Tim Haynes wrote:
> Script kiddies generally don't know what's happened to them when
> portsentry triggers, and go looking for easier fodder

Random garbage traveling across the 'net is exactly this: Random
garbage.

> > Who says someone's going to go through a full SYN connect, anyway? Sounds like
> > you need a stateful firewall to be somewhat safer.
> 
> If they're not doing a full connect, portsentry won't trip.

aka 'Won't notice anything except TCP-connect scans'. So somebody
tries to connect to what he thinks is a service you offer and then you
block his IP (which could have been allocated dynamically out of an
ISP's pool and change within seconds without any necessity for a
different machine at the other end)?

A nice remote DoS:
--------------------
while true;
do
    isdnctrl dial ippp0
    nc -v -z <your.ip> <port>
    isdnctrl hangup ippp0
done
--------------------

If I suffer from dynamic IP allocations, you would be blocking
hundreds of IPs within a comparatively short amount of time (~ 3-5
seconds per IP). This will keep your machine quite busy and will block
entirely legitimate accesses to the services you talk of below from
people who happen get said IPs next.

> If they're actually out to exploit the hole

Why do you worry about holes in programs you don't even run?
No one can attack you with a portmapper-exploit if there's no portmapper
to talk to.

> When using software like this it's assumed that you have a good idea
> of what is happening on the box.

If I know what's happening on the box, I don't need a tool like this,
as I don't run any services except those I intend to, with the latter
ones being reasonably configured.

> I don't have it trigger as a result of anything other than a full
> TCP connect.

see above

> I have a default-deny firewall with portsentry.

Consider a default-REJECT firewall. This is a lot nicer to others.

> There are only around 5 valid services on the box,

So these are to ones to worry about.

> and about 30 fake ports wired up to portsentry.

So you deliberately open up thirty ports without any real need to do
so to get *what*? 

Why not simply close them and be done with it?

> People who have valid business on the box never run into trouble,

They will, as demonstrated above.

-- 
SIGSTOP

Reply to:

Follow-Ups:
- Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
  - From: thomas lakofski <thomas@88.net>

References:
- Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
  - From: thomas lakofski <thomas@88.net>

Prev by Date: Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
Next by Date: Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
Previous by thread: Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
Next by thread: Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
Index(es):
- Date
- Thread