On Tue, 31 Jul 2001 12:14:20 PDT, "Karsten M. Self" writes: >> On Wed, Jul 25, 2001 at 01:38:19PM -0400, Jason Healy wrote: >> > > Are there any drawbacks to DENY? Is there a general consensus on this >> > > subject?
>The benefits are twofold: > > - For a two-stage scan, DENY gives the appearance of an unpopulated > IP, you're never hit by the second stage of the scan. > > - For automated netblock sweeps, DENY causes the remote (scanning) > host to time out on each port. In a netblock that's composed > largely of hosts with deny policies, a scan will take significantly > longer. This means the black hat has to devote more resources > (time, hardware, both) to the scan. I can only second that. I work for a company which, among other things, does security audits for customers. So, basically, we try to break into their networks/systems for a living ;-) or, at least, get as much information out of and about them as possible. DENY´s make our life much more complicated, - scans take longer - less information is revealed When configuring firewalls for customers, the default is to - ACCEPT next to nothing - REJECT some services (auth, ident) - DENY everything This is kind of a mantra amongst security engineers, time-proven and reliable. Another good reason for DENY´s: why pay for the back-traffic for services which you don´t offer/advertise? Btw, Karsten: rather than denying auth+ident, I find it much more appealing to just inetd.conf: auth stream tcp nowait nobody /bin/dd dd if=/dev/urandom bs=32 count=1 send garbage, where one has the option ;-) . That´s against the traffic-reason above but the fun´s quite worth it. cheers, &rw -- -- Ooh, how perverse! Still, it'd be pretty cool for hack value... -- - me about doing it the "obvious" way ----
pgp9t8HgyMeXZ.pgp
Description: PGP signature
