Automatic blocking
David Cary Hart
Fedora at TQMcube.com
Wed Aug 16 16:07:18 UTC 2006
On Wed, 16 Aug 2006 11:34:25 -0400, "Amadeus W. M."
<amadeus84 at cablespeed.com> opined:
> On Wed, 16 Aug 2006 04:25:38 -0600, Ashley M. Kirchner wrote:
>
>
> The answer to your question is portsentry. It runs in the
> background, monitoring a list of ports for incoming connections. If
> an attacker hits a port so many times in a short amount of time,
> portsentry bans the offending machine, by introducing the
> appropriate rule in iptables. Of course, the list of ports, and the
> threshold for the number of hits are configurable.
>
> That said, cool as it may sound, portsentry has a major drawback
> which made me and many others prefer a non-dynamic approach to
> security. Portsentry can be used to produce a denial of service
> attack. Suppose you connect regularly from your work.com machine
> to your home.net machine, and malicious.com knows that. Then
> malicious.com can send packets to home.net pretending to originate
> from work.com. Then for all it knows, portsentry running on your
> home.com will cut off acces to work.com. Sounds complicated, but
> it's trivial to do that, with things like nc or nmap.
>
Using the swatch (perl) to execute a script is far more
flexible and controllable (IMO).
--
Do NOT Send Email to <spam trap> Fedora at TQMcube,com
Our DNSRBL - Eliminate Spam at The Source: http://www.TQMcube.com
Don't Subsidize Criminals: http://boulderpledge.org
More information about the fedora-list
mailing list