Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I saw an entry in today's logs for a host that requested a GET http://192.168.x.x (i.e., a LAN IP address, though in the end not a working one). I hadn't seen anything like that before; usually I just see file requests. There was only one of these.
Is this a usual kind of request, or should I be concerned?
Seeing this prompted me to look for tcpd, but I couldn't find it. Strange. I had thought this was installed. I do have portsentry, though, and so put a new entry into my hosts.deny. I'm hoping portsentry refers to that file to make its decisions.
Block the ranges off at the fw. 192.0.0.0/8, just like the 127.0.0.0/8 IANA ranges aren't sposed to be routable on the net, and any outside request for an address like these should be dropped.
Portsentry has it's own allow/deny tables, but dumping an address to any other app like Tcpwrappers or fw is easy, the cmd is in the config. With a little bit of work you could make a shell script that would tally IP's, and beyond a certain treshold block just their offending /24, /16 or /8 :-]
Maybe unwanted advice, but Portsentry by now isn't considered very effective, using Snort would be better. Why? Because Portsentry only *listens* for connections made to a port, not classifying traffic. So it's easy to trip it by just using a scanner or packet mangler and try to feed it bogus addresses that will be blocked.
Snort OTOH examines packets for "bad" contents based on content rules and raises alerts for those (--with-flexresp), that can be handed off to any other app using the distributed 3rd party apps that come with the tarball. Just like with AV software you'll be able to regularly update the rules bases, and you get the ability to write your own rules.
Originally posted by unSpawn Block the ranges off at the fw. 192.0.0.0/8, just like the 127.0.0.0/8 IANA ranges aren't sposed to be routable on the net, and any outside request for an address like these should be dropped.
Where do I find this? I've configured a firewall using the Mandrake GUI. But, it's not that I don't trust it, it just leaves me uninformed as to what's going on. I need to start viewing the actual files for this stuff.
And re: Portsentry...
Quote:
using Snort would be better. Why? Because Portsentry only *listens* for connections made to a port, not classifying traffic. So it's easy to trip it by just using a scanner or packet mangler and try to feed it bogus addresses that will be blocked.
Snort OTOH examines packets for "bad" contents based on content rules and raises alerts for those (--with-flexresp), that can be handed off to any other app using the distributed 3rd party apps that come with the tarball. Just like with AV software you'll be able to regularly update the rules bases, and you get the ability to write your own rules.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.