[plug] responding to portscans
Grahame Bowland
grahame at azale.net
Sat Oct 5 22:41:20 WST 2002
On Saturday 05 October 2002 19:34, Simon Scott wrote:
> Hi all
>
> Has anyone investigated portsentry and its alternatives, and give me any
> insight into which one would be the way to go? portsentry relies on csh,
> which struck me as so stupid Ive gone off it :)
>
> I was almost going to write my own in perl but Ive gotta stop reinventing
> the wheel :)
The trouble with portsentry is that people set up active responses from a
single TCP 'SYN' packet. So someone portscans you and you filter them.
Why is this bad? Anyone can send a TCP 'SYN' with IP source address of (for
example) your ISPs router -- your default route. And then you will
immediately lose connectivity when you filter your default route.
I guess the only way to safely do this is have something running in iptables
that redirects connections to all non-open TCP ports into a daemon process.
This daemon can wait for a full TCP connection (with the triple handshake) to
come up (and assuming your ISN is secure) you'll be pretty sure the IP
address is valid to take action against them.
Cheers
Grahame
More information about the plug
mailing list