You can setup a HONEYPOT server and then just turn
on CPMAD.
CPMAD will actively block hosts that it detects are
hostile, and this is part of
FW-1, however it is somewhat simplistic at
best.
This brings us to a question I have not heard a lot
of answers or opinions on.
Everyone is producing all these tools for
controlling access to information, detecting
unauthorized access or malicious activity, and even
the grey hat tools (which
everyone here should get familiar with...).
However, it doesn't seem like there is a lot
of information on best practices for RESPONSE to
intrusion attempts etc.
Do you take the approach of just quietly monitoring
your systems and only on
severe breach contact authorities and abuse depts,
or do you act quickly on all
cases? Do you have a layered approach where you
consider some things not worth
reporting and others as worthy of reporting? Do you
report people for simply nmap
scanning your network?
I would be curious to hear what people here have to
say, but it would probably be best
that you don't post your replies along with info
that would identify which company you
work for...since this list is archived and
public....heh
My feeling is that if you do not excercise your
response systems often enough you
might become complacent and trust your basic
monitoring tools too much.
I think it's best to setup some honeypots and put
them up front and in the middle.
Watch them closely, but do not act too quickly.
Give them a rope to hang themselves
with. If you automatically block their source
address when they perform a scan, it
will
become very apparent to them that they have a
firewall monitoring their actions.
----- Original Message -----
Sent: Monday, January 08, 2001 3:34
AM
Subject: [FW1] Can I create a dynamic
BLOCK based on "sensor IP's"
Hi,
I would like to create some fake "sensor" IP addresses on a
FW1 and create a dynamic BLOCK on the source IP address of those who try to
connect to specific ports on this address.
E.g. I would like to add an address and listen for FTP
connect attempts. If an attempt is logged, I would like FW1 to execute a
BLOCK on the source IP address.
I know that I've seen some kind of scripting in the past to
accomplish this, but I cannot find any references to them
anymore.
All suggestions are welcome!
Thx,
Patrick
|