From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HKHhE-00017Q-2x for garchives@archives.gentoo.org; Thu, 22 Feb 2007 17:25:32 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1MHO7PI019992; Thu, 22 Feb 2007 17:24:07 GMT Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.235]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1MHJeJT015273 for ; Thu, 22 Feb 2007 17:19:41 GMT Received: by wx-out-0506.google.com with SMTP id i30so351843wxd for ; Thu, 22 Feb 2007 09:19:39 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=qVYogKpNozJKrk7bWn0EaQIF54y7ADXOl4WiwFcOo4EapEGYnGCUQm3u4/y8mCoQ5jLSrBYGQys/R1thvWqizk4nx5W2z1cm62J6kbwcdUZ4hJf3xWzxfw1AS0tMxxu7rBx2f6zYvt2kWn+z43TsxhgCKgI1Lg4PyvZAyAN+XTU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=CsJfELTswrBB7d75F/MT5GMYeKhM6MJ43EaNiBKumHw1UdfrXNvV8ZhVqFSRcrn0hn9vj+JZJzvC43K/U7jHITrNNKOEFWYbtHUngBWAWS2asP/VfNqe2xtOXdvTnY++btkMAJOi1xvHL6LRb1UjgXmB4X/kkHKzXSc8Oy8agq8= Received: by 10.70.50.18 with SMTP id x18mr1471396wxx.1172164779736; Thu, 22 Feb 2007 09:19:39 -0800 (PST) Received: from ymir.donotfeedtheray.com ( [124.243.156.119]) by mx.google.com with ESMTP id h37sm1366480wxd.2007.02.22.09.19.37; Thu, 22 Feb 2007 09:19:39 -0800 (PST) From: Raymond Lewis Rebbeck To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them Date: Fri, 23 Feb 2007 03:49:31 +1030 User-Agent: KMail/1.9.5 References: <1172162733.11117.35.camel@camille.espersunited.com> In-Reply-To: <1172162733.11117.35.camel@camille.espersunited.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200702230349.31655.dystopianray@gmail.com> X-Archives-Salt: 4127a9c5-cfe8-4e83-978d-3a8ed044f9bd X-Archives-Hash: 6eceee62db489986e67d8441820b15f4 On Friday, 23 February 2007 3:15, Michael Sullivan wrote: > I have logsentry installed on my system which sends me hourly reports > about possible hack attempts on my three boxes. I use ipkungfu for my > firewall. I've stuck with the default configuration for ipkungfu, > except for listing each of my machines in my LAN in the > accepted_hosts.conf file. I also set ipkungfu to drop all offensive > packets (not sure if that's the default or not.) Whenever I see someone > trying the break in in the logsentry reports, I add their IP to the > deny_hosts.conf file and restart ipkungfu so that the changes will take > effect. I'm wondering why if these offending IPs in deny_hosts.conf are > being stopped at the firewall I'm still seeing them fail to authenticate > to my FTP and ssh servers? If you think you've setup your firewall to block these IPs and yet they are still able to access your machines, then it sounds like your firewall is misconfigured and isn't blocking the IPs. > Also, I've always heard that you shouldn't > have any ports open on your machine unless you have some server bound to > that port because hackers can get in through unbound open ports. Is > this true? I've never heard of this. All ports that you don't want accessible from the internet should be completely blocked by your firewall if you have it correctly configured. > If so, how does it work? What do they connect to if > nothing's running on the port they're trying? I know the concept of a > backdoor in a running program, but if no program is running on said port > for them to connect to, how do they get in??? They connect to nothing, they shouldn't be able to establish a connection. > -Michael Sullivan- -- Raymond Lewis Rebbeck -- gentoo-user@gentoo.org mailing list