Re: 'mirror' with iptables
On 14 Nov 2001, Tim Haynes wrote:
> Frying pan:
>
> If done properly... it's a risk, but one that's assessable.
i assess it to be high :)
> > if you want to stop portscans maybe portsentry would help you?
>
> Fire:
>
> If you use portsentry in dynamic mode, you're open to spoofed IP#s just as
> much - someone making you block your nameserver or default route would be
> favourite. (Not to mention, how do you get it to "protect" a serve that's
> already on a port...?)
zzzz... old thread. running in dynamic mode is not recommended, etc
etc. ignore root servers, blah blah. all in the manual...
incidentally the default route issue isn't an issue since packets don't
have source addr = router addr.
snort (as you mention) good for detecting attacks on ports you must
provide service on -- portsentry is just the one facet but the question
was in re portscans.
> If you want to stop port-scans, use a proper firewall with DENY (ipchains)
> or DROP (iptables) by default.
how does this stop the scanner from identifying open ports?
> Use either snort or, at a push, portsentry, to spot incoming packets
> matching signatures of known exploits, for `cool, I dropped the packet
> anyway' factor.
snort's flexresp is clever, yes... beats portsentry but considerably
more maintenance.
cheers,
-thomas
--
Do what thou wilt shall be the whole of the Law.
-- Aleister Crowley
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43
Reply to: