[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] PortSentry 2.0b1 Beta released
- Subject: Re: [cobalt-security] PortSentry 2.0b1 Beta released
- From: Mike Vanecek <clist.mtv@xxxxxxxxxxxx>
- Date: Fri, 12 Apr 2002 09:06:12 -0500
- Organization: anonymous
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Thu, 11 Apr 2002 13:18:19 -0400, "Steve Werby" <steve-lists@xxxxxxxxxxxx>
wrote:
:>Are you using IPCHAINS to block the IPs, your router or something else? How
:>many IPs or subnets are you blocking at any given time and do you find that
:>affects performance? My philosophy is generally to only block IPs for a
:>short period of time (hours or days). I base that on my experience that
:>most portscans and hacking attempts are from dialup IPs or rooted machines
:>so the threat from those IPs after a short period of time seems to be much
:>less. Any thoughts?
The below is best viewed with fixed font.
My scheme is dynamic depending on the amount of activity. A full scan gets you
in my firewall. A port 22 scan gets you in my firewall (I do ssh on a
different port). A port 21 scan gets you watched. Ever increasing problems
from a range gets the range blocked. No activity for a while gets you removed.
As you can see below, some items could be removed since the activity level
seems to have gotten quiet while others are still quite active. I handle all
this with portsentry (via portsentry.init). My portsentry config parameters
and portsentry.init definitions follow the ipfwadm list (Qube2 does not have
ipchains; however, I use the same scheme with ipchains on other boxes). I
modify portsentry.init based on the activity I monitor in the log and
periodically restart portsentry. The following is probably more than you
wanted, but it was easier to show what I was doing than to describe it.
I have edited the list to only show items of interest to the discussion. I
last restarted portsentry about 2 weeks ago. My last attack was from a local
security test machine which my portsentry locked out of my box immediately.