From: Tim <t....@co...> - 2005-02-23 17:17:07
|
Bruce Smith wrote: >>Your familiar with the term reactive firewall right? I was wondering >>if DL can be tweaked to say connect back to an attacker and spawn a >>shell and execute code against their box or perhaps be conditional >>like warn and if attacker persists execute a command-to say block >>their IP and crash their machine.Of course if they poisoned their arp >>cache and spoofed their IP the IP Block wouldn't do much more than bog >>down the machine-I'm going to try to roll my own and test it-but I'd >>like to see if I can make it reactive in the process. >> >> > >To attack other machines could be illegal in many areas, so we will >_NOT_ add anything like that to DL. > >You can use the "recent" module of iptables to drop/reject excessive >connection attempts to your machine, but it does not initiate any >packets to the source of the attack. You'd have to write that manually >since we have any code or examples of the "recent" module in the default >DL firewall rules. > > - BS > > > > I had a SnapGear firewall linux appliance with IDB (Intrusion Detection and Blocking) - it actually worked fairly well. You set it up to trigger on obvious TCP ports like MSSql (1433) or Netbios (137/8/9). Anybody who scans me on those ports I don't want in on any port... UDP is not good because it's too easy too forge. I don't know if that was proprietary or opensource tho... but it's not really rocket science. It might be nice to auto-expire the entries if possible. Does iptables now do this? I agree automated counter attacks are a really bad idea. Tim |