[rescue] A perverse thought (SGI security division)
Caleb Shay
caleb at webninja.com
Thu Mar 11 15:19:54 CST 2004
On 2004-03-11 15:57:54 -0500 Sheldon T. Hall <shel at cmhcsys.com> wrote:
<snip>
>
> How about using this for a more active defense against attackers? If
> the
> filter detects an unauthorized probing of the ssh port, say, it could
>
> kill the sshd
> connect the chargen port to the ssh port
> killall -HUP inetd
> wait a few minutes
> reverse the changes
<snip>
How about this:
1. Unauthorized connection logged
2. SGI tells firewall to add a tarpit on all ports for offending IP
3. Script kiddie now gets uncloseable sockets when they try to ssh in
4. Potentially they get uncloseable sockets during the portscan
depending on how fast the rules get updated. The portscan never
finishes AND it likely forces them to reboot to free up the sockets
Advantages:
No fiddling with stopping/restarting sshd/inetd and keeping valid
users from connecting.
Handles case where somebody runs a ip/portscan all night and then
tries to connect to anything interesting it found in the morning. You
never need to remove the tarpit rules.
Script kiddie's scanner now hangs the next time they scan your machine
Cheers,
Caleb
More information about the rescue
mailing list