[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sentry
Subject:    [Abacus] portsentry + ipchains selective blocking
From:       "matteo.valsasna" <valsasna () uninsubria ! it>
Date:       2000-08-24 9:03:55
[Download RAW message or body]

Hi all,

I am new to this list and couldn't find any archives on line, so I
apologize if I am posting an idea that has already been discussed.


I just installed portsentry and find it quite nice and useful.

on one linux host, I use ipchains-based automatic filtering, but I
noticed that a finer granularity of control on the measures taken
against scanners can be gained by making use of user-defined ipchais,
allowing an administrator to decide which hosts can be denied which
services and which cannot, or that some services will never be denied


in portsentry.conf:

#instead of simply denying packets from scanners:
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"

#those packets can be sent for evaluation to a specific chain:
KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j scanners"


#in a boot script, create the chain:
ipchains -N scanners

# decide what to do with with those packets, i.e.:

# some hosts are never blocked
ipchains -A scanners -s <internal net> -j RETURN -l

# some hosts are never denied certain services
ipchains -A scanners -s <customers net> --destination-port 53 -j RETURN

# some services are never denied to anyone
ipchains -A scanners --destination-port 80 -j RETURN

# other hosts/services are simply denied:
ipchains -A scanners -j DENY -l

this could avoid denying vital services to customers, in case of a false
positive scan or even in case they are actually scanning our hosts

notice you can also refine the ipchains-generated logging by applying
the -l flag only to some of the ipchains rules


if you find this idea useful, you could mention it in the
documentation/conf file template for a next version.

MAtteo

--
  MAtteo Valsasna - matteo.valsasna@uninsubria.it
	   Network and UNIX administrator
SIC - Universita` degli Studi dell'insubria (sede di Como)
voice ++39-031-238.9720         fax ++39-031-238.9709
----------------------------------------------------------------
A fool must now and then be right by chance.

[prev in list] [next in list] [prev in thread] [next in thread]