Date: Fri, 21 Apr 2000 11:17:34 -0400 From: "Jason Portwood" <jason@iac.net> To: <freebsd-security@FreeBSD.ORG> Subject: RE: log-in-vain [ was: 10 days ] Message-ID: <6381A6A8826BD31199500090279CAFBA106958@FOGHORN> In-Reply-To: <6381A6A8826BD31199500090279CAFBA0D8BC2@FOGHORN>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Something you might want to do, if you haven't already, is enable > > log_in_vain in /etc/rc.conf by adding 'log_in_vain="YES"'. > > It will log connection attempts on ports that have nothing listening on > > them. It can be very enlightening. > Same thing goes for logging ipfw on the rejects. It's interesting sometimes to fire up another IP alias and see the people scanning by... > but what does one *do* with the info? there is so much scanning and so > many baby cracker attempts that it does little good writing to source address > admins. and the sources are spoofed in the majority of the cases anyway. The best defense is to have as much control or rather restriction as possible over what goes on. If it's not needed why have it running. If a service on a machine only needs to talk to one other machine use ipfw and restrict it. Every little bit helps. Then sit back, keep things up to date, watch the mailing lists for bugs, and just watch what's going on. Like with spam you probably don't send complaints about everyone of them. > > while i think log watching is important, it can be massive > data. so i try to keep it down to those data about which i can do something, > either by changing my defenses or by dealing with the source of the problem. > I saw something mentioned a while back on the list that might be of help. It was a program that would watch for network scanners. Then when one was found scanning around it would send a route packet to your core router to forward all traffic from that scanners IP to the scan watching machine. The server then would route the detected scanner to I believe a null device or just let the scanner rescan that box again. You would just route small chunks of your network(s) to the scan detection machine. I thought it sounded great but haven't had the time to contact the author about it. I don't recall any further discussion on it but what do others think about that? Curious to know... Jason Portwood - jason@iac.net Systems Administrator - Strategic/Internet Access Cincinnati Sales and Tech Support - 513-860-9052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6381A6A8826BD31199500090279CAFBA106958>