Date: Mon, 23 Apr 2001 23:30:03 +0200 (EET) From: Domas Mituzas <domas.mituzas@delfi.lt> To: <scheidell@fdma.com> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Connection attempts (& active ids) Message-ID: <20010423231908.N574-100000@axis.tdd.lt> In-Reply-To: <200104232113.f3NLDdL54572@caerulus.cerintha.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I just have a perl script that looks at ipfw logs, uploads certain hits to > mynetwatchman and he larts the isp. > it is really easy to spoof connection source IP for your IPFW logs. are you sure you wish to alert the ISP? Several days ago I gave a lesson to guys, running portsentry and similiar stuff with active blocking enabled. They did not believe they had any security breach, but after their own systems blocked all TLD servers, they removed portsentry immediately. It would be really annoying for various ISP's to get fake reports (they are already poured with fake spam reports, when spammers use fake domains for their From: ). Therefore, any automatic action to so called intrusions can cause a lot worse impact, than just ignoring them. Try to use least privillege principle, but not trusting logs of your IDS, that can be spoofed for fun and/or profit. You can trust more such type of defence as tcp wrappers, that are invoked only when system verifies tcp connection and gives control to userland. But still, it's more important to do secure system design (use chroot, jails, unprivilleged accounts etc), than to trust AI of your security software. One of best practices is to build honeypots - early warning systems with great publicity and observed security. And software, with changed banners into older ones :) Know your enemy, but be silent. Cheers, Domas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010423231908.N574-100000>