[plug] How to stop scanning

Luke Dudney ldlist at westnet.com.au
Thu Mar 4 11:17:15 WST 2004 

I would not recommend using this functionality of portsentry at all. An
attacker could easily spoof the source address of some hosts that you
need to contact (eg. root DNS servers) and perform a denial of service
on you. 

> Mar 4 07:47:15 gateway portsentry[10336]: attackalert: TCP SYN/Normal
scan from host: cae31-216-192.sc.rr.com/24.31.216.192 to TCP port: 135
> Mar 4 07:47:15 gateway portsentry[10336]: attackalert: Host
24.31.216.192 has been blocked via dropped route using command:
"/sbin/iptables -I INPUT -s 24.31.216.192 -j DROP"

Your firewall should be dropping this traffic anyway! Deny everything by
default, and permit only that which is explicitly required. Reactively
dropping all packets from a host based on information you cannot be sure
is accurate (the source IP address) is just asking for trouble, IMHO.

Cheers
Luke

On Thu, 2004-03-04 at 08:10, Jon Miller wrote:
> In my /var/log/message file I'm seeing scanning attempts and portsentry to dropping the scan ip address.  Is there a way to prevent these scans from happing in the first place?  I ask because when portsentry kicks in it also seems to stop all outgoing traffic as we as incoming traffic.
> 
> example:
> 
> Mar 4 07:47:15 gateway portsentry[10336]: attackalert: TCP SYN/Normal scan from host: cae31-216-192.sc.rr.com/24.31.216.192 to TCP port: 135
> Mar 4 07:47:15 gateway portsentry[10336]: attackalert: Host 24.31.216.192 has been blocked via dropped route using command: "/sbin/iptables -I INPUT -s 24.31.216.192 -j DROP"
> 
> Thanks
> 
> Jon L. Miller, MCNE, CNS, ASE
> Director/Sr Systems Consultant
> MMT Networks Pty Ltd
> http://www.mmtnetworks.com.au
> 
> "I don't know the key to success, but the key to failure
>  is trying to please everybody." -Bill Cosby
> 
> 
> 
> 
> _______________________________________________
> plug mailing list
> plug at plug.linux.org.au
> http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
-- 
____________________________________________
Luke Dudney
Network Operations
WestNet - Your Australia Wide Internet Provider 
Phone: (08) 6263 6300 - Fax: 1300 554 160
<http://www.westnet.com.au> 
It's SERVICE that sets us APART 
____________________________________________

More information about the plug mailing list