thomas lakofski <[EMAIL PROTECTED]> writes:
> Tim Haynes wrote:
> Script kiddies generally don't know what's happened to them when
> portsentry triggers, and go looking for easier fodder
Random garbage traveling across the 'net is exactly this: Random
garbage.
> > Who says someone's going to go through a full SYN connect, anyway? Sounds
> > like
> > you need a stateful firewall to be somewhat safer.
>
> If they're not doing a full connect, portsentry won't trip.
aka 'Won't notice anything except TCP-connect scans'. So somebody
tries to connect to what he thinks is a service you offer and then you
block his IP (which could have been allocated dynamically out of an
ISP's pool and change within seconds without any necessity for a
different machine at the other end)?
A nice remote DoS:
--------------------
while true;
do
isdnctrl dial ippp0
nc -v -z <your.ip> <port>
isdnctrl hangup ippp0
done
--------------------
If I suffer from dynamic IP allocations, you would be blocking
hundreds of IPs within a comparatively short amount of time (~ 3-5
seconds per IP). This will keep your machine quite busy and will block
entirely legitimate accesses to the services you talk of below from
people who happen get said IPs next.
> If they're actually out to exploit the hole
Why do you worry about holes in programs you don't even run?
No one can attack you with a portmapper-exploit if there's no portmapper
to talk to.
> When using software like this it's assumed that you have a good idea
> of what is happening on the box.
If I know what's happening on the box, I don't need a tool like this,
as I don't run any services except those I intend to, with the latter
ones being reasonably configured.
> I don't have it trigger as a result of anything other than a full
> TCP connect.
see above
> I have a default-deny firewall with portsentry.
Consider a default-REJECT firewall. This is a lot nicer to others.
> There are only around 5 valid services on the box,
So these are to ones to worry about.
> and about 30 fake ports wired up to portsentry.
So you deliberately open up thirty ports without any real need to do
so to get *what*?
Why not simply close them and be done with it?
> People who have valid business on the box never run into trouble,
They will, as demonstrated above.
--
SIGSTOP
