From owner-freebsd-security Sun Jan 28 2:21:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from imo-r02.mx.aol.com (imo-r02.mx.aol.com [152.163.225.2]) by hub.freebsd.org (Postfix) with ESMTP id 76CD037B698 for ; Sun, 28 Jan 2001 02:21:25 -0800 (PST) Received: from FBSDSecure@aol.com by imo-r02.mx.aol.com (mail_out_v29.5.) id n.b2.10786063 (4333) for ; Sun, 28 Jan 2001 05:21:19 -0500 (EST) From: FBSDSecure@aol.com Message-ID: Date: Sun, 28 Jan 2001 05:21:19 EST Subject: Re: (no subject) To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: AOL 5.0 for Windows sub 120 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In a message dated 1/27/01 9:51:58 PM Pacific Standard Time, kris@obsecurity.org writes: > > To prevent portscanning, there is a package in the ports collection > > called portsentry under both the net and security branches. I an > > currently using it on my firewall computer and when it detects that > > someone is portscanning your computer, you can 'ban' the attacker's > > IP address using ipfw and email you automatically. > > Be very careful using automated responses like automatically > blackholing someone. Port scans can trivially be spoofed (most port > scanners like nmap include a command-line option to do this), and all > an attacker need to do is spoof a scan coming from your ISP's servers > and it will effectively cut you off of the network. > > IMO, there's no problem with portscans if you run a tightly configured > firewall and don't allow in traffic except to services you trust the > world to be able to connect to. > > Kris > > Yes, that is true and yes it can be done. But it's very unlikely that it will be done. Most people use phone modems to connect to the internet. The ISP assignes an IP address to the user's computer based on which port the user came in on. It is pretty much impossible to spoof a ISP assigned IP address, and if they try, the ISP knows about it and usually takes steps to correct it. On DSL connections, the DSLAM KNOWS which IP addresses are valid on a given port, so you must use the IP address(es) that your ISP provides. Cable Modems IP addresses are dynamicly assigned using DHCP. Once again, the IP address is assigned to you. The routers in the ISPs know which IP addresses are valid and which are not. So spoofing an IP address is pretty close to impossible from a Dialup, xDSL, or cable modem. Another thing to point out though is if a hacker were to spoof his IP address and do a port scan, what would be the point? The data is useless if it can't get back to the individual. Besides, the portsentry package has a ignore file. Dan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message