|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: SV:
From: Dennis Fleurbaaij (dennis
GEEKALERT.NL)Date: Wed Aug 09 2000 - 13:25:08 CDT
- Next message: grigory: "running pppd as common user"
- Previous message: Christian Kratzer: "Re: Allowing only SCP file transfers?"
- In reply to: lasse: "SV:"
- Next in thread: jacob: "(no subject)"
- Reply: Dennis Fleurbaaij: "Re: SV:"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Hiya!
>
> > Aug 6 00:58:10 linux portsentry[840]: attackalert: Connect from host:
> > 210.114.140.177/210.114.140.177 to TCP port: 12345 A
> > from different ip's. Right know I'm blocking it with portsentry, and I'm
> > about to install snort. I have two questions:
>
> Maybe its just me, but I really wouldn't block the "offending" hosts, he
> could be using nmap, and spoof the IP packets. Now imagine if he decided
> scan with a decoy that had the same IP as your gateway? - then you
suddenly
> disconnected yourself from the internet.
Nope, that is (ofcourse!) configuable.
>
> > 1.- How can I find who wants to hack me? I did "host", "nslookup" and
> > "traceroute", but can't reach source ip's. How can I find who's
> > responsable of the network from which the attack originated?
>
> Most likely, one of the hosts are the "correct" attacker, unfortunally its
> pretty much near impossible to know which is correct, and which are fake.
I
> suppose you could put a program on say port 1367 or any other random port,
> that logged whoevers IP who tried to connect to it, and send a message
like
> "Service denied". As far as I understand its much harder to spoof a TCP/IP
> connection, than to spoof a port-scanning IP.
Can't reach source ip's ? Maybe he's offline :) Most hackers do have some
sort of dialup.
>
> > 2.- I have locked all inet ports(except http, ftp and ssh), installed
> > logsentry, hostsentry and logcheck and I'm about to install snort, what
> > more do you recommend to have a secure machine? (I refer to monitoring
> > tools)
>
> I would consider Bastille-projekt, run that script, it does a wonderfull
job
> of securing your machie, atleast it did for mine :-)
>
Ehrm true, but I only have a modefied version of snort running and it
dynamically alters my firewall :)
Mail me if you want a copy.
Kind regards,
Dennis Fleurbaaij
- Next message: grigory: "running pppd as common user"
- Previous message: Christian Kratzer: "Re: Allowing only SCP file transfers?"
- In reply to: lasse: "SV:"
- Next in thread: jacob: "(no subject)"
- Reply: Dennis Fleurbaaij: "Re: SV:"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]