viro@math.psu.edu (Alexander Viro) wrote on 10.08.01 in <Pine.GSO.4.21.0108101503250.28666-100000@weyl.math.psu.edu>:
> On Fri, 10 Aug 2001, Richard B. Johnson wrote:
> > I have about 20 megabytes of logs showing the machine being
> > attacked from inside our firewall. Each time an attack occurred,
> > I would firewall-out its phony IP address (ipchains). A few hours
> > later the cycle repeated with another phony IP address.
>
> Instead of trying to see WTF was going on and fixing the problem instead
> of symptoms? _Real_ smart... Or, at least, block everything except the boxen
> that have any business accessing it? You know, with explicit "accept" rules
> in the beginning of the chain with catch-all "reject" after them...
Or at least use something like portsentry. Suspicious packets? Block
first, ask questions later.
MfG Kai
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Aug 15 2001 - 21:00:38 EST