Security....

Rodolfo J. Paiz rpaiz at simpaticus.com
Wed Oct 27 16:27:06 UTC 2004 

On Wed, 2004-10-27 at 18:09 +0300, Andrey Andreev wrote:
> How about setting portsentry to block IPs (temporarily) after 10 or so 
> attempts? Can it do that (I kind of think so)?
> 

No. Portsentry can only bind to ports on which there is not already
another program listening, so it cannot bind to 22. What I did do with
Portsentry is combine it with Shorewall to somewhat reduce hostile
probes, roughly this way:

 1. Create a set of "hostile" ports. These are ports which no sane and
normal person would *ever* use on your box, and where you are prepared
to drop someone off the face of the Earth for even looking at them. For
instance, on my commercial webserver I would never expose portmap (111)
to the Internet, nor should anyone ever attempt to print to that box (it
being in a locked cabinet 1,500 miles away). So my list of hostile ports
for that box includes 111 and 515 (and 23, 1080, 8080, 12345, mssql,
etc., all ports that should never, ever, *ever* be poked).

 2. Use Shorewall to firewall the box, and create REDIRECT rules in the 
firewall to move all such traffic to a single port (on my box, 49999).
This limits exposure to potential risks, since *if* I somehow messed up
and actually activated portmap it would still not get any requests from
outside... all outside requests for tcp/111 would go to tcp/49999.

 3. Create a script which calls Shorewall's blacklisting functionality
(given an IP address) and drops this IP address into a black hole. The
script also schedules an "at" job for X days (in my case, 2 days) later
to remove that restriction. You don't want to keep blocking everything
forever since your block list gets huge and most IP's that get blocked
are going to be dial-up anyway.

 4. Configure Portsentry with a hair trigger: any IP that sends even a
single packet to port 49999 gets instantly black-holed with the script
from Step 3.

The result is that I generally have 15-20 hosts blocked at any one time,
and that most script kiddies who reach my system poke a hostile port
while looking for the most common exploits. The number of attacks has
gone way down, and the kiddie who sets off Shorewall/Portsentry has to
wait another two days to try to test my SSH port. In reality, most
simply move on.

I love it.

-- 
Rodolfo J. Paiz <rpaiz at simpaticus.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041027/77dd779e/attachment-0001.sig>

More information about the fedora-list mailing list