[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] PortSentry 2.0b1 Beta released

Subject: Re: [cobalt-security] PortSentry 2.0b1 Beta released
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Thu, 11 Apr 2002 23:54:54 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

"Kevin D" <kdlists@xxxxxxxxxxxxxxx> wrote:
> And then when the hacker does a decoy scan you get hundreds of innocent
ips
> blocked from your server. And hey, if the hacker discovers what you're
> doing, he can just send more decoys until your server is pretty much shut
> down to the outside world, until the rules get flushed in 2-3 days.

Maybe I should disconnect all my servers and recommend my clients do the
same.  :-)  You do have a valid point though.  Sure, there's a chance
someone may attempt some sort of DOS attack or something else that can be a
pain.  And that kind of thing shouldn't be overlooked.  But in my
experience, by far the greatest risk is from script kiddies and other low
level crackers.  In general, they're not targeting a specific box, they're
running software which scans many machines looking for exploitable systems.
IMO, if your box becomes a less desirable target because it's more secure
than other boxes and/or it appears not to exist because a port scan was
recognized, it's no longer as desirable a target.  Of course, a tool like
PortSentry is just a small part of a good security arsenal, but I think it's
a tool that has value.

> If you're really lucky, one of the decoys he uses will be the one you
> connect from to admin the server :)

I'm more worried about locking myself out because of something stupid I do.
Like having a typo in my IPCHAINS rules and blocking all traffic internal to
the box.  Not that I did that a few days ago.  <g>  But seriously, even if a
DOS attack like the one you describe occurs you should have options.  Like a
reboot.  Hopefully you have physical access to the server or can make a call
to someone who does.  Of course, if your most recent IPCHAINS rules are
loaded on reboot you'd really need physical access to boot via the serial
port.  In any case, I prefer to setup IPCHAINS with several trusted IPs so
it's harder to get locked out.  And on a number of servers I have setup a
special email address piping to a CGI script so I can fire off commands that
get executed via the shell (there is security built into it) and have a
secure webpage where I can do the same.  Fun stuff.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

References:
- Re: [cobalt-security] PortSentry 2.0b1 Beta released
  - From: Steve Werby
- Re: [cobalt-security] PortSentry 2.0b1 Beta released
  - From: Gerald Waugh
- Re: [cobalt-security] PortSentry 2.0b1 Beta released
  - From: Kevin D

Prev by Date: [cobalt-security] Cobalt Raq Vs PC Linux OEM System! # LET'S End This #
Next by Date: Re: [cobalt-security] newbie question about dhcp/bootp server..
Previous by thread: Re: [cobalt-security] PortSentry 2.0b1 Beta released
Next by thread: Re: [cobalt-security] PortSentry 2.0b1 Beta released

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index