Re: 'mirror' with iptables

To: thomas lakofski <thomas@88.net>
Cc: Tim Haynes <debian@stirfried.vegetable.org.uk>, fadel@ferasoft.com.br, <debian-security@lists.debian.org>
Subject: Re: 'mirror' with iptables
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 14 Nov 2001 13:34:59 +0000
Message-id: <[🔎] 863d3h1nng.fsf@potato.vegetable.org.uk>
Reply-to: debian@stirfried.vegetable.org.uk
In-reply-to: <[🔎] Pine.LNX.4.40.0111141318090.25210-100000@io.88.net> (thomas lakofski's message of "Wed, 14 Nov 2001 13:21:37 +0000 (GMT)")
References: <[🔎] Pine.LNX.4.40.0111141318090.25210-100000@io.88.net>

thomas lakofski <thomas@88.net> writes:

[snip, `get a good firewall']
> > > how does this stop the scanner from identifying open ports?
> >
> > Why is a port open to a scanner's IP#, if not in order to be used?
> 
> good point. what we're trying to do here though is heuristically (or more
> simplistically) isolate port scans and stop them from being successful --
> well this is the portsentry principle of operation. ie noone has any
> business connecting to 111/tcp or 27374/tcp over the Internet, so presume
> that they are up to no good and block 'em...

Here portsentry is still the lesser option. I know the options I'm
suggesting, and admit that when I run a webserver, the only packets that
won't hit port 80/tcp are those flagged as `INVALID' in iptables. Ditto
ssh, for most intents & purposes (there are boxes where it's a lot tighter,
of course).

It sounds like what you want is bad-behaviour-detection *within* the fact
that a given port has to be `mostly open' rather than `mostly closed'. That
behaviour is going to be far more varied than `oh rats, they sent an
Xmas-tree packet to the port, quick, block them in the firewall'. You can,
and do, get misbehaviour such as Nimda without any TCP- or IP-level
manglings.

Personally, I go for
a) DROP-by-default firewall with stateful filtering in iptables;
b) such ports that are wide open (22, 80, 53/udp... whatever) are still
   behind the protection of `INVALID';
c) such services that listen on the open ports are as secured as possible -
   latest versions, no extra apache modules, the whole 9 yards of BIND
   security, libsafe, etc;
d) fwlogwatch to mail me firewall alerts every night;
e) snort to keep an eye on what tricks people are playing with those few
   services that are open;
f) AIDE to mail me filesystem changes every night.

It's pretty rarely that I see any abuse that gets as far down the chain as
to deserve human intervention.

~Tim
-- 
Newton and Adam, lost and found,            |piglet@stirfried.vegetable.org.uk
The apple must fall to the ground           |http://spodzone.org.uk/

Reply to:

Follow-Ups:
- Re: 'mirror' with iptables
  - From: thomas lakofski <thomas@88.net>

References:
- Re: 'mirror' with iptables
  - From: thomas lakofski <thomas@88.net>

Prev by Date: Re: 'mirror' with iptables
Next by Date: Re: 'mirror' with iptables
Previous by thread: Re: 'mirror' with iptables
Next by thread: Re: 'mirror' with iptables
Index(es):
- Date
- Thread