Date: Wed, 26 Apr 2000 00:20:21 -0700 From: "Col.Panic" <panic@antix.org> To: freebsd-security@FreeBSD.ORG Subject: RE: log-in-vain [ was: 10 days ] Message-ID: <4.2.0.58.20000426001631.00aec008@satan.antix.org> In-Reply-To: <6381A6A8826BD31199500090279CAFBA106958@FOGHORN> References: <6381A6A8826BD31199500090279CAFBA0D8BC2@FOGHORN>
next in thread | previous in thread | raw e-mail | index | archive | help
wow... sorry for the late reply, but the software you are referring to is called portsentry, and was developed by Psionic software (http://www.psionic.com/abacus/portsentry/) I've been running the software, and it seems to do a pretty solid job of finding and blocking port scan attempts. They also have a cool module-based program called hostsentry. It 'watches' your user's login behaviors, and blocks out abnormalities. -Jason At 11:17 AM 4/21/2000 -0400, you wrote: > > > > > Something you might want to do, if you haven't already, is enable > > > log_in_vain in /etc/rc.conf by adding 'log_in_vain="YES"'. > > > It will log connection attempts on ports that have nothing listening on > > > them. It can be very enlightening. > > > >Same thing goes for logging ipfw on the rejects. It's interesting sometimes >to fire up >another IP alias and see the people scanning by... > > > but what does one *do* with the info? there is so much scanning and so > > many baby cracker attempts that it does little good writing to source >address > > admins. and the sources are spoofed in the majority of the cases anyway. > >The best defense is to have as much control or rather restriction as >possible over >what goes on. If it's not needed why have it running. If a service on a >machine >only needs to talk to one other machine use ipfw and restrict it. Every >little bit helps. > >Then sit back, keep things up to date, watch the mailing lists for bugs, and >just watch what's >going on. Like with spam you probably don't send complaints about everyone >of them. > > > > > while i think log watching is important, it can be massive > > data. so i try to keep it down to those data about which i can do >something, > > either by changing my defenses or by dealing with the source of the >problem. > > > >I saw something mentioned a while back on the list that might be of help. >It was a program >that would watch for network scanners. Then when one was found scanning >around it would send >a route packet to your core router to forward all traffic from that scanners >IP to the scan watching machine. The server then would route the detected >scanner to I believe a null device or just let the scanner rescan that box >again. You would just route small chunks of your network(s) to the scan >detection machine. I thought it sounded great but haven't had the time to >contact the author about it. > >I don't recall any further discussion on it but what do others think about >that? Curious to know... > >Jason Portwood - jason@iac.net >Systems Administrator - Strategic/Internet Access Cincinnati >Sales and Tech Support - 513-860-9052 > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -[TR] Col.Panic The /-----\ |----\ Founder | | | Webmaster | |----/ Postmaster |ech's | \ evenge Hostaster "Out you demons of Stupidity!" http://www.antix.org unreal.cts.com:7777 UT CTF 413a http://www.techsrevenge.com unreal.cts.com:7788 UT Assult 413a http://www.heartofevil.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.20000426001631.00aec008>