Re: Looking for tool to scan / block IPs

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 10/30/05

  • Next message: Peter Billam: "Re: Shred option in the current Mandriva Linux OS a fake?"
    Date: Sun, 30 Oct 2005 12:32:17 -0600
    
    

    In the Usenet newsgroup comp.os.linux.security, in article
    <1130647115.879298.247520@g14g2000cwa.googlegroups.com>, valdasr@gmail.com
    wrote:

    >>> I think portsentry will do what you are looking for

    >> I've been using portsentry for years

    >Basically it does that by default installation, at least i dont not do
    >anything special in config file,

    I've always been concerned about self-denial-of-service tools like
    portsentry. Look at the man page for nmap - specifically the -D option,
    and contemplate what portsentry will do when someone uses the IP addresses
    of your name servers as arguments to 'nmap -D'

    >after couple days i already have this in my host.deny file
    >
    >ALL: 218.47.59.72
    >ALL: 82.235.92.123
    >ALL: 211.212.183.116
    >ALL: 207.67.25.104
    >ALL: 203.239.60.72

    Kindly read the man page for hosts_access(5) - the section on "ACCESS
    CONTROL FILES":

           The access control software consults two files. The search
           stops at the first match:

           o Access will be granted when a (daemon,client) pair
                  matches an entry in the /etc/hosts.allow file.

           o Otherwise, access will be denied when a (dae-
                  mon,client) pair matches an entry in the
                  /etc/hosts.deny file.

           o Otherwise, access will be granted.

    so the only thing that goes in /etc/hosts.deny is

    ALL: ALL

    But also recall that /etc/hosts.deny is only consulted by those applications
    that are using tcp_wrappers, or are compiled with 'libwrap' support. As
    regards regular firewalls, they follow a similar logic, looking for a rule
    that matches, and stopping when one is found. A sane configuration is one
    that blocks all by default, and only explicitly permits those things that
    are needed/desired.

            Old guy


  • Next message: Peter Billam: "Re: Shred option in the current Mandriva Linux OS a fake?"

    Relevant Pages

    • Re: n00b ipf/ipnat questions
      ... > portsentry listening on them. ... If you use a ruleset that blocks all ports and allows only certain ... incoming packets, portsentry won't ever get a chance of seeing the ... This will not show anything to an nmap scan. ...
      (FreeBSD-Security)
    • portsentry only blocking once - need to restart
      ... Wenn I do a nmap to a portsentry protected host ... When I flush iptables and try to nmap ... the host again portsentry does not block it again. ... 500 http://ftp-stud.fht-esslingen.de sarge/main Packages ...
      (Debian-User)
    • Re: Linux: "pmfirewall" and "portsentry"
      ... > I have problems with portsentry. ... > 2.If I scan my server from Internet or my friends scan my server, ... PortSentry I used to use in OpenBSD, has some nifty things but some people ... I also believe there's some web based nmap scanners out there, ...
      (comp.security.firewalls)
    • Re: IPChains leak for UDP!?
      ... Subject: IPChains leak for UDP!? ... nmap doesn't show any such message. ... PortSentry had set up a cron to flush any ipchains rules every hour. ...
      (Focus-Linux)
    • Re: Looking for tool to scan / block IPs
      ... ynotssor wrote: ... >> I think portsentry will do what you are looking for, ... Basically it does that by default installation, at least i dont not do ... anything special in config file, after couple days i already have this ...
      (comp.os.linux.security)