Re: IPCHAINS very simple question

[Alan Mead <adm ipat com>]

At 03:01 AM 3/10/00 , Wellington Terumi Uemura wrote:

> If we put a prog to check our systems ( servers ) like portsentry,iplogger 
> or whatever and create a script or program to filter this logs,grab the 
> attackers IP, and auto-generate ipchains rules against the intruder???

Portsentry already does something like this.  You can tell it to drop route 
when it detects a scan and it will add a route from the attacker's IP to a 
valid, unused IP address you specify.  To the attacker, your Linux box 
suddenly disappeared because all his packets hit your server and then go to 
this unused IP (rather than back to the bad guy).  In many contexts this is 
a great idea.  Nothing is all gravy, however, and the postsentry docs quite 
clearly describe the potential for an attacker to use this feature and IP 
spoofing to cause your server to lose contact with other (innocent and 
perhaps vitally important) hosts.  So use with caution.  I don't think 
portsentry will modify ipchains but I could be wrong about that.


---
Alan D. Mead  /  Research Scientist  /  adm ipat com
Institute for Personality and Ability Testing
1801 Woodfield Dr  /  Savoy IL 61874 USA
217-352-4739 (v)  /  217-352-9674 (f)