Am Die, 2002-12-10 um 14.44 schrieb Tim Haynes: > Ariel Graneros <[EMAIL PROTECTED]> writes: > > > On Tue, 3 Dec 2002 21:19:28 EST [EMAIL PROTECTED] wrote: > > > >> Hi. Can you help me. Who do I report the above to. I have 2 firewalls > >> running and tonight I was attacked from the same address 172 times in > >> less than an hour. These people want banning off the net. It is > >> certainly a violation of my privacy. A dozen times is an excuse but 172, > >> I ask you. Please come back. > > > > A good solution is portsentry: > > > > http://www.psionic.com/products/portsentry.html > > No, a good solution is whois(1). > > If the OP's complaint is valid (do we have logs / a description of what was > going off? Has he taken a cold shower since posting?) then a complaint to > abuse@ the ISP providing the incoming IP#s *may* be appropriate. > > Otherwise there are perfectly rational explanations for quite a lot of > perceived "attack"s; maybe this avenue should be persued further. > > > PortSentry is part of the TriSentry suite of security tools. It is a > > program designed to detect and respond to port scans against a target > > host in real-time. Stealth detection modes are available under all Unix > > platforms and detects SYN, FIN, NULL, XMAS, and Oddball packet scans. All > > modes support real-time blocking and reporting of violations. > > I've just explained over on comp.os.linux.security why portsentry is a > lousy idea, but to summarize: > > a) "dynamic" means nothing when the packets shouldn't have permeated to > user-space at all; > > b) risk of auto-DoS if someone spoofs a given set of valuable IP#s; > > c) having to have no firewall, or extra holes in a firewall, in order to > detect a finite set of events seems daft when you could just be blocking > them already by default.
ACK But portsentry may still be a good thing to have if for some reason the firewall gets flushed. I know, this should never happen, but it can. With PS you can then at least try to limit the damage by blocking selected IPs. Of cource you can pretty much DOS yourselfe as you stated above. > IOW, write a proper firewall with DROP-by-default and only as few services > open as you need, and if you want a different view on what attacks are > going off, get something with a *much* larger rule-base like _snort_ > instead. > > And when you get a real incident of either massive abuse or targetted > attacks, *then* you whine to the people responsible. > > 172 packets dropped in a firewall does not a DoS - or even an attack - > make. > ACK My firewall dropped 200+ packets in about 2 hours. Gotta love EDonkey..... -- Matthias Hentges [www.hentges.net] -> PGP + HTML are welcome ICQ: 97 26 97 4 -> No files, no URLs My OS: Debian Woody: Geek by Nature, Linux by Choice -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
