Shorewall users - Jan 2006 - Shorewall portscanner example rule.

When searching in google I could verify that many examples of used rules in
shorewall do not exist to block port scanners external. Example: nmap.

Somebody has some rule or example ?

thanks.

Rafael Vilela wrote:
> When searching in google I could verify that many examples of used rules in
> shorewall do not exist to block port scanners external. Example: nmap.
> 
> Somebody has some rule or example ?
> 
> thanks.
> 
please read this article from the security expert Bruce Schneier.


http://www.schneier.com/blog/archives/2005/12/are_port_scans.html

Rafael Vilela wrote:
> When searching in google I could verify that many examples of used rules in
> shorewall do not exist to block port scanners external. Example: nmap.
> 
> Somebody has some rule or example ?
> 
> thanks.
> 
why you are interested in  **useless** security by oscurity ???

instead of trying to hide your potential security problem, detect it,
and fix it.

On Monday 02 January 2006 06:25, Rafael Vilela wrote:
> When searching in google I could verify that many examples of used rules in
> shorewall do not exist to block port scanners external. Example: nmap.
>
> Somebody has some rule or example ?
There is a "Port Scan Detection" module in Patch-O-Matic-ng -- that
module is
not included in standard kernels and there is no support for it. As always, 
however, you can use an Action with an Extension Script to integrate that 
feature with Shorewall.

One could probably put together a "poor man''s" port scan
detector using the
''recent match'' but I don''t have an example. Again, it
would require using an
Action and an Extension script as in 
http://www.shorewall.net/PortKnocking.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Of course there''s the option of using an IDS to detect port scans. 
Snort
has multiple powerful modules for this (http://www.snort.org).  When run in
inline mode, it can also be used to block hosts that are detected as
malicious.

-
Matt
> -----Original Message-----
> From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-
> admin@lists.sourceforge.net] On Behalf Of Tom Eastep
> Sent: Monday, January 02, 2006 10:55 AM
> To: shorewall-users@lists.sourceforge.net
> Cc: Rafael Vilela
> Subject: Re: [Shorewall-users] Shorewall portscanner example rule.
> 
> On Monday 02 January 2006 06:25, Rafael Vilela wrote:
> > When searching in google I could verify that many examples of used
rules
> in
> > shorewall do not exist to block port scanners external. Example: nmap.
> >
> > Somebody has some rule or example ?
> 
> There is a "Port Scan Detection" module in Patch-O-Matic-ng --
that module
> is
> not included in standard kernels and there is no support for it. As
> always,
> however, you can use an Action with an Extension Script to integrate that
> feature with Shorewall.
> 
> One could probably put together a "poor man''s" port scan
detector using
> the
> ''recent match'' but I don''t have an example.
Again, it would require using
> an
> Action and an Extension script as in
> http://www.shorewall.net/PortKnocking.html
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click