-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Brian Densmore
[snip]
I do have a question for y'all. Is there some non-crippling thing I can do to my system to detect an attack and :
- send me an email (optionally),
- log the conversation for xxx seconds,
- automatically update the firewall to block the offending
user/script. Keep in mind I'm running on an antique here: Pentium Pro 200 MHz @ 40MB RAM w/ ~8 GB of disk.
Portsentry is the knee-jerk reaction you might get from some folks. I tend to disagree however, as it is also frequently used to bind to other service ports, which can make for a busier box... and reactive blocking isn't so much a science as an art. Any reactive system has a tendency, once an attacker has deduced its use, to be a perfect denial of service tool. (I.E. if you bank at umb.com, a spoof of that IP address directed at you can black hole it, and your significant other can't reach the website to pay bills, etc.)
Snort can do the log conversation for xxx seconds bit you asked about - it can log the whole thing truth be known. If you want to get daring, you can look at snort in-line as well. When traffic of a particular type occurs, you can intercept the responses from your system (or others hiding behind your snort install) and rewrite them on the way out. An excellent use for this is to catch outbound scan attempts from [insert Windows worm of the week here] infestations and kill 'em. I generally don't have this problem, but if folks like, oh, RoadRunner.com were to do this, it would make life a lot easier for the rest of us.
Obviously there are pluses and minuses to pretty much everything. Paper or plastic, Coke or Pepsi, Free or Slave, Kerry or Bush - merely illusions of choice. The same seems to be true of security - short of turning it off and locking it away, there is no silver bullet.
D.