gabriel rosenkoetter on Thu, 8 Mar 2001 15:25:34 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] portmap and other things


On Thu, Mar 08, 2001 at 01:33:04PM -0500, Jason Wertz wrote:
> I'm in the process of learning more about "real" security and
> increasing the security of my machines and have found portsentry
> along with logcheck...http://www.psionic.com/abacus/logcheck to be
> very useful for detecting oddities and automating log audits. The
> more I learn the more I'm sure I'll move to better practices, but
> I view these tools as better then nothing at my current level of
> security know-how.

That's not insensible.

I still say that seeing what would have come *after* the portscan
completed is more educational than seeing the portscan is, and you
won't ever see that if you blackhole the host (because the attacker,
automated or not, won't bother to try).

> Most script kiddies seem to target linux machines with a .edu
> address because they know most colleges have limited resources and
> tend to use Linux for the price w/o really knowing much about it
> (one big honeypot).

Speaking as a sysadmin on a college campus, that is NOT the reason
.edu is targetted. There are a few Linux boxes in the computing
services set up here (Cobalt RaQs, if anybody cares), but they're
not any kind of risk. The danger is the number of students who
decide to install Linux (whether for CS classes or for other reasons)
without having any system administration or security auditing
experience. Two years ago, we (in the CS department) had user
passwords sniffed and potentially had a root compromise on our main
Solaris box (don't think the intruder ever actually got his rootkit
to work, but we didn't take any chances and chose to just wipe and
reinstall the system). All this because a student out in a dorm
didn't bother to secure his RH 6.1 box at all. And students aren't
the only ones; we've had the swarthmore.edu threatened with SMTP
blackholing because of profs with open mail relays in their offices.

Adam Preset, who at least used to read this list, could tell you
more about the agony administrating even a small college. He runs an
incredibly tight ship... but he only controls the official college
machines. There's the rest of 130.58/16 out there for students and
profs to do dumb shit in.

> I like the fact that PortSentry just keeps me
> aware of how often we are being portscanned, no matter who is doing
> it. I don't really care that I'm being scanned but I just want to
> be aware of it. I'm not really using the utility for security by
> obscurity, by the number of scans detected in a week people definitely
> know were here.

Not saying logging port scans isn't a good idea (on the contrary,
keeping track of that is extremely good), I'm just against that
being the only information you ever get.

       ~ g r @ eclipsed.net


______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug