>Next week
I'll finally get around to install IPchains and will block each and
>any ports and services except the needed ones. > >I wonder if someone on the list has some good ipchains-rules for cobalts and >is willing to trade them. Craig napier posted a nice script on the regular
users list about a month ago. I run it and it works well. Oddly though, it
appears to sit atop port sentry and doesn't cause it to react much. Plus, it
disables pings and traceroutes which has really cut down on port scans and such
- used to be several per day, now only 1 per day on average.
The only thing it kills, which I am working on, is
zone transfers from DNS... It won't allow them and now my secondary DNS is
no longer responding... Got to get that fixed.
A wierd thing happened the other day though, and
its all related - my NOC pulled my box offline and told me I had lionworm. When
we checked, I didn't as I had been patched long ago. Apaprently, my port sentry
triggered their sensor that looked for open port 1080 (I run advanced stealth
mode both tcp and udp). Wierd though, a regular port scan would be blocked by
ipchains, not port sentry, yet port sentry reacted to them... I figure they must
be using one of those new port scanners (not new just popular now) that can scan
through port sentry - does 1/2 completed requests, from what I understand -
not enough to trigger port sentry but enough to get the info it
needs.
I recommend both... I figure its 2 lines of
defense.
Rick
|