Re: 'mirror' with iptables
On 14 Nov 2001, Tim Haynes wrote:
> thomas lakofski <thomas@88.net> writes:
>
> [snip]
> > snort (as you mention) good for detecting attacks on ports you must
> > provide service on -- portsentry is just the one facet but the question
> > was in re portscans.
> >
> > > If you want to stop port-scans, use a proper firewall with DENY
> > > (ipchains) or DROP (iptables) by default.
> >
> > how does this stop the scanner from identifying open ports?
>
> Why is a port open to a scanner's IP#, if not in order to be used?
good point. what we're trying to do here though is heuristically (or
more simplistically) isolate port scans and stop them from being
successful -- well this is the portsentry principle of operation. ie
noone has any business connecting to 111/tcp or 27374/tcp over the
Internet, so presume that they are up to no good and block 'em...
> > snort's flexresp is clever, yes... beats portsentry but considerably more
> > maintenance.
>
> Yes. For a better system, you have to do more work. <shrug> :)
yup, security 101 :)
cheers,
-thomas
>
> ~Tim
>
--
Do what thou wilt shall be the whole of the Law.
-- Aleister Crowley
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43
Reply to: