Re: traffic logging

[spiff () BWAY NET (spiff)]

On Wed, 3 May 2000, Damian Gerow wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Humm...  I don't much care for PortSentry's retaliation sequence.  The
> suggested action (blocking the route, adding offending host to
> hosts.deny, setting up a firewall rule to deny all traffic coming from
> the offending host) really turns me off - it creates a nice, simple DoS
> on it's own.

I can confirm this to be true. In a recent audit, an nmap scan revealed
that the sysadmin had his home network 'protected' by PortSentry.

After obtaining shell access to some of the DMZ servers we simply
telnetted to one of the 'decoy' ports on the admins PortSentried gateway,
once from each of the machines.

After that all remote logging and other services (MTA expand, etc) were
cut off.

Very effective.

Took him quite a while to notice, and as soon as the routes were restored,
a quick telnet to port 2000, and they were down again, and we could
perform our deeds unwatched again.

It was several days before he finally exempted his own remote machines
from the ruleset. Which was a mistake, because it was too late.

Note that there were many mistakes and misconfigurations on his part, but
ones made solely on the errant premise that his own machines would not
attack him. Which is quite foolish to believe.

This should not be taken as a critique of PortSentry, just as a caveat
regarding it's potential abuses.

spiff