[rescue] A perverse thought (SGI security division)

Caleb Shay caleb at webninja.com
Thu Mar 11 15:19:54 CST 2004

On 2004-03-11 15:57:54 -0500 Sheldon T. Hall <shel at cmhcsys.com> wrote:
> How about using this for a more active defense against attackers?  If 
> the
> filter detects an unauthorized probing of the ssh port, say, it could
> 	kill the sshd
> 	connect the chargen port to the ssh port
> 	killall -HUP inetd
> 	wait a few minutes
> 	reverse the changes


How about this:

1. Unauthorized connection logged
2. SGI tells firewall to add a tarpit on all ports for offending IP
3. Script kiddie now gets uncloseable sockets when they try to ssh in
4. Potentially they get uncloseable sockets during the portscan 
depending on how fast the rules get updated. The portscan never 
finishes AND it likely forces them to reboot to free up the sockets

No fiddling with stopping/restarting sshd/inetd and keeping valid 
users from connecting.
Handles case where somebody runs a ip/portscan all night and then 
tries to connect to anything interesting it found in the morning.  You 
never need to remove the tarpit rules.
Script kiddie's scanner now hangs the next time they scan your machine



More information about the rescue mailing list