Re: Intrusion Attempts
Ariel Graneros <firstname.lastname@example.org> writes:
> On Tue, 3 Dec 2002 21:19:28 EST Trawets53@aol.com wrote:
>> Hi. Can you help me. Who do I report the above to. I have 2 firewalls
>> running and tonight I was attacked from the same address 172 times in
>> less than an hour. These people want banning off the net. It is
>> certainly a violation of my privacy. A dozen times is an excuse but 172,
>> I ask you. Please come back.
> A good solution is portsentry:
No, a good solution is whois(1).
If the OP's complaint is valid (do we have logs / a description of what was
going off? Has he taken a cold shower since posting?) then a complaint to
abuse@ the ISP providing the incoming IP#s *may* be appropriate.
Otherwise there are perfectly rational explanations for quite a lot of
perceived "attack"s; maybe this avenue should be persued further.
> PortSentry is part of the TriSentry suite of security tools. It is a
> program designed to detect and respond to port scans against a target
> host in real-time. Stealth detection modes are available under all Unix
> platforms and detects SYN, FIN, NULL, XMAS, and Oddball packet scans. All
> modes support real-time blocking and reporting of violations.
I've just explained over on comp.os.linux.security why portsentry is a
lousy idea, but to summarize:
a) "dynamic" means nothing when the packets shouldn't have permeated to
user-space at all;
b) risk of auto-DoS if someone spoofs a given set of valuable IP#s;
c) having to have no firewall, or extra holes in a firewall, in order to
detect a finite set of events seems daft when you could just be blocking
them already by default.
IOW, write a proper firewall with DROP-by-default and only as few services
open as you need, and if you want a different view on what attacks are
going off, get something with a *much* larger rule-base like _snort_
And when you get a real incident of either massive abuse or targetted
attacks, *then* you whine to the people responsible.
172 packets dropped in a firewall does not a DoS - or even an attack -