[Dshield] Question for all

David McGaughey mcgoy at plumbearcat.com
Fri Feb 6 19:13:28 GMT 2004


I would put the full blown IDS inside my firewall.  That way you can also
tell which of your internal machines are possibly infected and scanning the
Internet (assuming you NAT).  Now for the outside of the firewall, I have a
few if's:

 

IF you've 30 some odd or greater addresses from your ISP, and IF you are
currently only using a very few of those addresses, and IF you've got some
old clunker of a machine handy THEN

 

Put Linux on it and configure TCP Wrapper and XINETD to make a light weight
IDS for a few selected ports, say Telnet, the r-commands, and a few others
that might be thought of as targets for the slow scanner.  Then configure
your Linux box to listen on all of the available IP's that you aren't using
on your ISP's subnet that you've purchased.  You've not spent much money and
you've instrumented your whole external network with a slow/hostile scan
detector.

 

David McGaughey, GSEC

About:  http://mcgoy.plumbearcat.com/RESCOMPU.htm

 




More information about the list mailing list