From: "Noah L. Meyerhans" <frodo@morgul.net> To: Debian User List <debian-user@lists.debian.org> Subject: Re: Port Sentry Date: Sat, 2 Jun 2001 12:50:39 -0400 On Sat, Jun 02, 2001 at 08:51:46PM +0530, Rajkumar S. wrote: > > Now when portsentry detects a port scan it blocks the ip making the > > scan. > > Is it wise to block an ip just because it did a port scan? > What if s/he spoofs the ip and puts your ip as source address? This is the real problem, and is a very good reason not to block IP addresses based on a portscan. Very few large scale sites do anything of the sort. It is trivial to spoof the source address of a portscan, allowing one to cause your machine to block access from your nameservers or your clients or other important sites. I recommend using ippl or the ipchains/iptables based logging facilities in place of portsentry. They don't necessitate having a service actually listening on unused ports. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html << attach3 >>
These networks are not accessible from the internet, nor are the customer networks. So The only spoofing would be from either co-workers here, or employee's of customers. The decision then is, is the risk of a spoofed source DOS worth continuing to accept data from a potentially compromised host, particularly when the person doing the scan is someone who knows a lot about the systems he's attacking and the data they process. Such a person could easily fake customer billing, credits, and cause lots of problems far worse than an hour or so of downtime.
But you are right about the namservers not blocking. The whole point of many nameservers is public access, so they are easily found, and often messed with, so they should be monitored closely, be tight, but also be tolerant of newbies trying weird things to them. However, in this situation the nameservers are less important anyway, most of the applications have the IP's in their hosts files. Nearly all of the systems are application processors, not user stations, so they are constantly passing application messages, datafiles, etc with a fixed set of machines.
_________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com