Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: Re: SV:
From: Dennis Fleurbaaij (dennisGEEKALERT.NL)
Date: Wed Aug 09 2000 - 13:25:08 CDT
- Next message: grigory: "running pppd as common user"
- Previous message: Christian Kratzer: "Re: Allowing only SCP file transfers?"
- In reply to: lasse: "SV:"
- Next in thread: jacob: "(no subject)"
- Reply: Dennis Fleurbaaij: "Re: SV:"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> > Aug 6 00:58:10 linux portsentry: attackalert: Connect from host:
> > 18.104.22.168/22.214.171.124 to TCP port: 12345 A
> > from different ip's. Right know I'm blocking it with portsentry, and I'm
> > about to install snort. I have two questions:
> Maybe its just me, but I really wouldn't block the "offending" hosts, he
> could be using nmap, and spoof the IP packets. Now imagine if he decided
> scan with a decoy that had the same IP as your gateway? - then you
> disconnected yourself from the internet.
Nope, that is (ofcourse!) configuable.
> > 1.- How can I find who wants to hack me? I did "host", "nslookup" and
> > "traceroute", but can't reach source ip's. How can I find who's
> > responsable of the network from which the attack originated?
> Most likely, one of the hosts are the "correct" attacker, unfortunally its
> pretty much near impossible to know which is correct, and which are fake.
> suppose you could put a program on say port 1367 or any other random port,
> that logged whoevers IP who tried to connect to it, and send a message
> "Service denied". As far as I understand its much harder to spoof a TCP/IP
> connection, than to spoof a port-scanning IP.
Can't reach source ip's ? Maybe he's offline :) Most hackers do have some
sort of dialup.
> > 2.- I have locked all inet ports(except http, ftp and ssh), installed
> > logsentry, hostsentry and logcheck and I'm about to install snort, what
> > more do you recommend to have a secure machine? (I refer to monitoring
> > tools)
> I would consider Bastille-projekt, run that script, it does a wonderfull
> of securing your machie, atleast it did for mine :-)
Ehrm true, but I only have a modefied version of snort running and it
dynamically alters my firewall :)
Mail me if you want a copy.