Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I saw an entry in today's logs for a host that requested a GET http://192.168.x.x (i.e., a LAN IP address, though in the end not a working one). I hadn't seen anything like that before; usually I just see file requests. There was only one of these.
Is this a usual kind of request, or should I be concerned?
Seeing this prompted me to look for tcpd, but I couldn't find it. Strange. I had thought this was installed. I do have portsentry, though, and so put a new entry into my hosts.deny. I'm hoping portsentry refers to that file to make its decisions.
Block the ranges off at the fw. 192.0.0.0/8, just like the 127.0.0.0/8 IANA ranges aren't sposed to be routable on the net, and any outside request for an address like these should be dropped.
Portsentry has it's own allow/deny tables, but dumping an address to any other app like Tcpwrappers or fw is easy, the cmd is in the config. With a little bit of work you could make a shell script that would tally IP's, and beyond a certain treshold block just their offending /24, /16 or /8 :-]
Maybe unwanted advice, but Portsentry by now isn't considered very effective, using Snort would be better. Why? Because Portsentry only *listens* for connections made to a port, not classifying traffic. So it's easy to trip it by just using a scanner or packet mangler and try to feed it bogus addresses that will be blocked.
Snort OTOH examines packets for "bad" contents based on content rules and raises alerts for those (--with-flexresp), that can be handed off to any other app using the distributed 3rd party apps that come with the tarball. Just like with AV software you'll be able to regularly update the rules bases, and you get the ability to write your own rules.
Originally posted by unSpawn Block the ranges off at the fw. 192.0.0.0/8, just like the 127.0.0.0/8 IANA ranges aren't sposed to be routable on the net, and any outside request for an address like these should be dropped.
Where do I find this? I've configured a firewall using the Mandrake GUI. But, it's not that I don't trust it, it just leaves me uninformed as to what's going on. I need to start viewing the actual files for this stuff.
And re: Portsentry...
Quote:
using Snort would be better. Why? Because Portsentry only *listens* for connections made to a port, not classifying traffic. So it's easy to trip it by just using a scanner or packet mangler and try to feed it bogus addresses that will be blocked.
Snort OTOH examines packets for "bad" contents based on content rules and raises alerts for those (--with-flexresp), that can be handed off to any other app using the distributed 3rd party apps that come with the tarball. Just like with AV software you'll be able to regularly update the rules bases, and you get the ability to write your own rules.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
