[2112] in linux-security and linux-alert archive
[linux-security] Re: portmap vulnerability?
daemon@ATHENA.MIT.EDU (Brown, Mark)
Mon Dec 14 17:32:17 1998
From: "Brown, Mark" <mbrown@visa.com>
To: linux-security@redhat.com, Matt <panzer@dhp.com>
Date: Mon, 14 Dec 1998 10:01:33 -0800
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
-----Original Message-----
From: cfb [mailto:cfb@ocn21.kdd-ok.ne.jp]
Sent: Sunday, December 13, 1998 5:16 AM
To: Matt
Subject: [linux-security] Re: portmap vulnerability?
>... or did I just miss something in the man page?
>Might this be a handy way to detect port scans or spoofed packets (if
>connections are being initiated at ports that don't respond/handshake,
>what else could it be (disregarding udp, of course)?)? Maybe that's a
>bit beyond the current scope of wrappers, but it would be nice. Oh
>well, more work for someone else...
Hmm... speaking of putting unused ports to work to detect port scans
-- here's a cute piece of software that does just that + a bit more:
http://www.psionic.com/abacus/abacus.html
Take a look at the "Sentry" software. Besides detecting TCP & UDP
port scans, it has the ability immediately add the offending host to
hosts.deny, as well as adding a bogus route back to them in the
routing table... effectively making you disappear. I've run it for
about two months now on a server that gets sniffed at a lot. It
works. I can think of a couple of ways someone could turn this
software against you ("scanning" you with packets with a spoofed
source IP that matches a legitimate host you haven't defined to ignore
-- thus breaking the routing), but In Real Life, it has done very
well.
Mark
[mod: Message body reformatted for clarity. -- REW]
[mod: This is also a controversial tool. Mark knows the disatvantages
and he mentions them. What works for him may work for you. Maybe not.
So lets not discuss "security polcies" again OK? -- REW]
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
