Automatic blocking

[Amadeus W. M.]

On Wed, 16 Aug 2006 12:07:18 -0400, David Cary Hart wrote:

> On Wed, 16 Aug 2006 11:34:25 -0400, "Amadeus W. M."
> <amadeus84 at cablespeed.com> opined:
>> On Wed, 16 Aug 2006 04:25:38 -0600, Ashley M. Kirchner wrote:
>> 
>> 
>> The answer to your question is portsentry. It runs in the
>> background, monitoring a list of ports for incoming connections. If
>> an attacker hits a port so many times in a short amount of time,
>> portsentry bans the offending machine, by introducing the
>> appropriate rule in iptables. Of course, the list of ports, and the
>> threshold for the number of hits are configurable. 
>> 
>> That said, cool as it may sound, portsentry has a major drawback
>> which made me and many others prefer a non-dynamic approach to
>> security. Portsentry can be used to produce a denial of service
>> attack. Suppose you connect regularly from your work.com machine
>> to your home.net machine, and malicious.com knows that. Then 
>> malicious.com can send packets to home.net pretending to originate
>> from work.com. Then for all it knows, portsentry running on your
>> home.com will cut off acces to work.com. Sounds complicated, but
>> it's trivial to do that, with things like nc or nmap. 
>> 
> Using the swatch (perl) to execute a script is far more
> flexible and controllable (IMO).
> -- 
>       Do NOT Send Email to <spam trap> Fedora at TQMcube,com
> Our DNSRBL - Eliminate Spam at The Source: http://www.TQMcube.com
>                Don't Subsidize Criminals: http://boulderpledge.org


I don't care to defend portsentry, but I'll say that portsentry
is highly configurable too. However you configure a dynamic
firewall, I think you can still lock yourself out, if you try.
I don't think the DoS scenario I outline above is portsentry 
specific. I'm not familiar with swatch though, so I may be wrong.
After my portsentry days, I completely dropped any dynamic 
approach to security.