[TCLUG] Security

Wed Jun 6 19:24:26 CDT 2001

So how do you folks feel about using an IDS like snort with Guardian. The
IDS detects the attack, another tool auto blocks that IP from the host
under attack. For a teeny site I don't think I would have to worry about
getting reverse DDoSed, or do I?

Thoughts?

Josh

___SIG___

On Wed, 6 Jun 2001, Austad, Jay wrote:

> Snort (http://www.snort.org) is a good IDS system to use.  It will log to a
> database also, and you can report on the data using ACID
> (http://acidlab.sourceforge.net).  Apparently the latest version will
> support more than just MySQL, I'll probably be installing it today sometime.
> MySQL sucks on large databases (at least it did for me), and I'd like to
> switch to something else.  More attack sigs are available for snort at
> http://www.whitehats.com/ids
>
> Jay
>
> > -----Original Message-----
> > From: joel at luths.net [mailto:joel at luths.net]
> > Sent: Wednesday, June 06, 2001 12:21 PM
> > To: tclug-list at mn-linux.org
> > Subject: RE: [TCLUG] Security
> >
> >
> > Hm, 20/day is about what I get I think. I'm collecting stats,
> > just haven't done
> > much processing of them. Anyone logging ipchains DENYs for
> > this (like me) might
> > want to check out packet2sql
> > (http://sourceforge.net/projects/packet2sql/).
> > Pulls the ipchains lines out of log files and puts them in a
> > SQL db. Should
> > make analysis much easier, if I ever get around to it.
> >
> > Quoting "Austad, Jay" <austad at marketwatch.com>:
> >
> > > I get scanned quite a bit on my DSL also, probably about 20
> > times a day.
> > > That's nothing compared to one of my networks, over 6000
> > portscans a day
> > > (some are dummy scans of course, but it's still alot).  Fun.
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: joel at luths.net [mailto:joel at luths.net]
> > > > Sent: Wednesday, June 06, 2001 10:50 AM
> > > > To: tclug-list at mn-linux.org
> > > > Subject: Re: [TCLUG] Security
> > > >
> > > >
> > > > I'm running DSL and I get *lots* of scans.
> > > >
> > > > Quoting Brian <lxy at cloudnet.com>:
> > > >
> > > > > On Tue, 5 Jun 2001, Dave Sherohman wrote:
> > > > >
> > > > > >
> > > > > > Nah.  They're talking to portmap, not telnetd.  Those
> > requests are
> > > > > asking
> > > > > > about available RPC services, most likely in hopes of
> > finding a
> > > > > vulnerable
> > > > > > NIS or NFS installation.
> > > > >
> > > > > Ok, I've heard of exploits on RPC, now I'm curious.  What's
> > > > using RPC?
> > > > > Is
> > > > > it just NIS and NFS?  I've heard of tons of RPC ports
> > > > strewn about that
> > > > > can be exploited, it's the only remaining port that I'm
> > > > worried about on
> > > > > my system.
> > > > >
> > > > > back to the original question on security, port scans
> > are part of
> > > > > life.  Kiddies all over the internet like to run their
> > port scanners
> > > > > because they're HACKERS and they're unstoppable!  just
> > like in the
> > > > > movie!  *rolls eyes*  Just make sure you aren't running anything
> > > > > unnecessary, like xfs, nis, nfs, etc.  Out of curiosity,
> > > > are you on a
> > > > > cable modem?  I've noticed that when I was on DSL no one
> > > > even looked at
> > > > > my
> > > > > box but on cable in the last week I've collected large
> > amounts of IP
> > > > > addresses probing away at my firewall.  They've mainly been
> > > > targeting
> > > > > FTP,
> > > > > which is odd, since I hadn't had ftpd up and running at
> > that point.
> > > > > Real
> > > > > bright ones, they are! :-)
> > > > >
> > > > > tcp wrappers do a pretty good job, an ALL:ALL in
> > hosts.deny lets me
> > > > > sleep
> > > > > at night anyway.  I also have a policy of denying ICMP
> > > > requests on my
> > > > > outside interface just to thwart the really stupid
> > kiddies.  Between
> > > > > these
> > > > > two I feel relatively secure.  Then just check your startup
> > > > script to
> > > > > make
> > > > > sure you aren't running anything you don't need to be.
> > > > >
> > > > > -Brian
> > > > >
> > > > > _______________________________________________
> > > > > tclug-list mailing list
> > > > > tclug-list at mn-linux.org
> > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > >
> > > > >
> > > > _______________________________________________
> > > > tclug-list mailing list
> > > > tclug-list at mn-linux.org
> > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > >
> > > _______________________________________________
> > > tclug-list mailing list
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > >
> > >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>