Web Hosting Talk






PDA

View Full Version : Stopping port scans

avara
07-10-2001, 05:56 PM
I've taken most of the security precautions on my RaQ 4i, including keeping its software updated, and using SSH instead of ordinary telnet.

However, I'd like to know if there are any simple utilities that will ban IP's trying to do a port scan on my machine? Also, any good personal firewalls available for Linux which will work with a RaQ?
MSW
07-10-2001, 06:03 PM
You may want to try portsentry.

http://www.psionic.com/abacus/portsentry
avara
07-10-2001, 06:08 PM
Thanks for the quick reply WeinBar. :)

I've bookmarked the web page for Portsentry, and will be trying it out shortly.
huck
07-11-2001, 07:36 AM
Portsentry Issues

Using automatic response system....
By spoofing IP addresses and scanning the server, the program will drop the scanning IP into hosts.deny or use similar methods to deny the attacker access to the machine. If this is reapeated through a range of IP addresses, you could potentially block a large number of individuals from using your site, thus resulting in a DoS. With fast processors and a good perl script, I could quickly flood your machine with spoofed IP packets and knock out an entire range of IP addresses. If I combine this info with other data, e.g. the IP on our messages here, then this attack can be much more effective. Also, if you have portsentry configured to use IPchains, your memory usage will quickly grow do to all of those new rules. In my opinion, allowing a program to automatically change TCP wrappers, routing tables, or IPchain rules can be dangerous. You could potential get lock out of your own system. For example, I could grab your IP off your post, flood your machine with the entire range of IPs near yours (just in case your IP is dynamic), and lock you out of your own machine while I continue my mischeif.

Suggestion...
I would use portsentry as a monitoring and detection device and not use the automated response system. This way you will know if you are the target of portscans, but nobody will get locked out. Other solutions involve having the banned list cleared every 5 minutes so that bans are only temporary. These are techniques that make portsentry less sensitive to potential DoS attacks. Admittedly, just knowing about portscans is helpful, but just wait until you get that 5MB portsentry scan logfile emailed to you when a script kiddie uses the latest scanner. ;)