Security Basics mailing list archives
Re: IDS which denies access after one "false" scanned port
From: Samuel Lavitt <samuel.lavitt () tectia com>
Date: Wed, 21 Dec 2011 18:44:18 +0200
I encountered a system like this before, it was an IDS setup by some consultants from IBM for a project I audited, as part of one of their outsourced websphere systems. I do not know the actual IDS, but it made the audit damn difficult, as it was also prone to locking me out whenever I caused too many server errors (where too many was something ~50 HTTP 400s or 500s in a 15m period). Burp's automated intruder, directory scans, etc. were all worthless as a result. Did manage some success using purely manual testing, mostly simple XSS attacks though, worked well on the language selection ;) On 12/21/2011 02:20 PM, Martin T wrote:
I found a webserver, which serves webpage on TCP port 80, but in case I try to connect to any other TCP port, my IP will be blocked for 10min. Example below: [root@ ~]# ping -qc1 www.<domain>.com PING www.<domain>.com (10.10.10.3): 56 data bytes --- www.<domain>.com ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 1.793/1.793/1.793/0.000 ms [root@ ~]# telnet www.<domain>.com 80 Trying 10.10.10.3... Connected to www.<domain>.com. Escape character is '^]'. Connection closed by foreign host. [root@ ~]# telnet www.<domain>.com 37219 Trying 10.10.10.3... ^C [root@ ~]# telnet www.<domain>.com 80 Trying 10.10.10.3... ^C [root@ ~]# ping -qc1 www.<domain>.com PING www.<domain>.com (10.10.10.3): 56 data bytes --- www.<domain>.com ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss [root@ ~]# Anyone seen such behavior before? Is it somehow possible to detect/guess, which IDS this might be? Any other suggestions how to find out more information about this IDS and server behind it? regards, martin ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- IDS which denies access after one "false" scanned port Martin T (Dec 21)
- Re: IDS which denies access after one "false" scanned port Samuel Lavitt (Dec 21)
- Re: IDS which denies access after one "false" scanned port Matthew Caron (Dec 21)
- Re: IDS which denies access after one "false" scanned port Orlando Leon (Dec 21)
- Re: IDS which denies access after one "false" scanned port Todd Haverkos (Dec 22)
- Re: IDS which denies access after one "false" scanned port Brent Huston (Dec 22)