[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPchains Rules - was Re: [cobalt-security] Portsentry & UDP ports

Subject: Re: IPchains Rules - was Re: [cobalt-security] Portsentry & UDP ports
From: Michael Stauber <michael@xxxxxxxxxxxxxx>
Date: Mon, 9 Apr 2001 13:38:35 +0200
Organization: Forumworld.com
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Rick,

> Craig napier posted a nice script on the regular users list about a month
> ago. I run it and it works well. 

Many thanks. I'll try to look it up.

> Oddly though, it appears to sit atop port
> sentry and doesn't cause it to react much.

I can imagine. This should depend on which ports you set portsentry to listen 
on. If the custom firewall blocks those ports, then portsentry will not be 
able to do much scanning as the packets are rejected by the firewall before 
they reach portsentry's detection mechanism.

> Plus, it disables pings and
> traceroutes which has really cut down on port scans and such - used to be
> several per day, now only 1 per day on average.

Outch. That's something I'll have to change. Basic ICMP packages should not 
be denied. Otherwise some of my more skilled customers will claim that the 
box has been unreachable while it was simply rejecting pings due to the 
firewall.

> The only thing it kills, which I am working on, is zone transfers from
> DNS... It won't allow them and now my secondary DNS is no longer
> responding... Got to get that fixed.

That should be simple to fix as your other DNS server has a static IP. Simply 
allow requests from that IP address on port 53 of your protected machine. Put 
it after the setting which denies requests on port 53.

> A wierd thing happened the other day though, and its all related - my NOC
> pulled my box offline and told me I had lionworm. When we checked, I didn't
> as I had been patched long ago. Apaprently, my port sentry triggered their
> sensor that looked for open port 1080 (I run advanced stealth mode both tcp
> and udp). Wierd though, a regular port scan would be blocked by ipchains,
> not port sentry, yet port sentry reacted to them... I figure they must be
> using one of those new port scanners (not new just popular now) that can
> scan through port sentry - does 1/2 completed requests, from what I
> understand - not enough to trigger port sentry but enough to get the info
> it needs.

As Marc said: Newer scanners can do a stealth scan which is hard to detect by 
portsentry. Marc explained that pretty well.

> I recommend both... I figure its 2 lines of defense.

Yeah. Better safe than sorry. Just because we're sometimes acting paranoid 
doesn't mean we aren't being followed. ;o)


Mit freundlichen Grüßen / Best regards

Michael Stauber

References:
- IPchains Rules - was Re: [cobalt-security] Portsentry & UDP ports
  - From: Rick Ewart

Prev by Date: Re: [cobalt-security] Portsentry & UDP ports (Howto: automatic reset of portsentry)
Next by Date: [cobalt-security] Security Updates 04/05/2001
Previous by thread: Re: IPchains Rules - was Re: [cobalt-security] Portsentry & UDP ports
Next by thread: [cobalt-security] Odd log code, Hack attempt?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index