[ILUG] Detecting a port scan attempt on my machine.
plop at redbrick.dcu.ie
Wed Mar 7 19:18:51 GMT 2001
In reply to Donncha O Caoimh's flatulent wordings,
> Yup, my article on CLUG talks about this. You can make Portsentry act as
> a black hole to portscanners. They simply don't see the machine when
> it's port scanned! Some of the web based portscanning sites recommend
> changing the default from "deny"ing packets to "reject"ing packets which
> has implications others can tell us about..
Having just tested Port Sentry I have to say I'm not impressed. I confirmed
my initial suspicions that it opens up a lot of new ports (every port that it
monitors) have been confirmed. This reaks of amateurism, you're basically
advertising the availability of services that aren't there, making your server
more attractive to hackers than it actually is. Granted you can blackhole
said attacker before they actually attack any services that actually exist.
This brings me to the blackhole implementation, adding a non-existent route to
the target? Is this the state of network security today? Imagine somebody
port scans your machine using a large number of packets with faked source
addresses (an option in nmap), how many static routes do you reckon our
malicious cracker will have to add before bringing your machine down?
On top of that, Port Sentry doesn't monitor the ports of services that you are
actually running, this isn't such a big deal I guess because if you're running
a public service you should expect people to connect to it, but if some user
left a telnet service running and some malicious fellow tried to repeatedly
connect it guessing passwords, port sentry won't say diddly squat
Again this applies mainly to Port Sentry running in classic mode (which is
the only way port scanner can run on non Linux systems. On Linux, despite
its added packet sniffing abilities, Port Sentry is still going to do the
black hole routing making it a DOSsible
Basically I reckon that although Port Sentry has the odd nice idea, good
enough for a home user who reboots his machine often but is afraid of being
port scanned, but you'd be an idiot to do any more with it
More information about the ILUG