[linux-security] Re: portmap vulnerability?

["Brown, Mark" <mbrown visa com>]

-----Original Message-----
From: cfb [mailto:cfb ocn21 kdd-ok ne jp]
Sent: Sunday, December 13, 1998 5:16 AM
To: Matt
Subject: [linux-security] Re: portmap vulnerability?

>... or did I just miss something in the man page? 
>Might this be a handy way to detect port scans or spoofed packets (if
>connections are being initiated at ports that don't respond/handshake,
>what else could it be (disregarding udp, of course)?)?  Maybe that's a
>bit beyond the current scope of wrappers, but it would be nice.  Oh
>well, more work for someone else...

Hmm... speaking of putting unused ports to work to detect port scans
-- here's a cute piece of software that does just that + a bit more:

http://www.psionic.com/abacus/abacus.html

Take a look at the "Sentry" software.  Besides detecting TCP & UDP
port scans, it has the ability immediately add the offending host to
hosts.deny, as well as adding a bogus route back to them in the
routing table... effectively making you disappear.  I've run it for
about two months now on a server that gets sniffed at a lot.  It
works.  I can think of a couple of ways someone could turn this
software against you ("scanning" you with packets with a spoofed
source IP that matches a legitimate host you haven't defined to ignore
-- thus breaking the routing), but In Real Life, it has done very
well.

Mark


[mod: Message body reformatted for clarity. -- REW]

[mod: This is also a controversial tool. Mark knows the disatvantages
and he mentions them. What works for him may work for you. Maybe not.
So lets not discuss "security polcies" again OK? -- REW]