@home security scans

[sinck@corp.quepasa.com]

\_ > They won't care about that but if you're running any kind of "server" software
\_ > (apache, sendmail, ftpd, telnetd etc) I recommend
\_ > 
\_ > ipfwadm -I -a deny -S 24.0.0.0/8
\_ > 
\_ >  - a good security precaution as well as preventing them from finding out
\_ > what ports you have open.  And you will also have to make exceptions for
\_ > the DNS servers, web server, news server and any other @home machines you
\_ > need to access.  For example,
\_ > 
\_ > ipfwadm -I -a accept -S 24.1.240.33/32
\_ > ipfwadm -I -a accept -S 24.1.240.34/32
\_ > ipfwadm -I -a accept -S 24.1.240.71/32
\_ > 
\_ > Put those rules in before the "deny" rule because the first matching rule
\_ > will set the policy.  And of course the syntax is different for ipchains
\_ > (for kernels in the 2.2 series).

I've got my firewall set so that only "trusted" @home users can
connect on a few ports, a few basic @home servers can connect on some
ports, and everything else from @home jumps to reject (a bit more
brutal than deny).  Also investigate the -y flag (perhaps only valid
in ipchains?) that IIRC says don't start inbound connections on that
port, but allow connections back to that port if it started them.

And, in the FWIW department, I think 24.0.0.0/8 will block more than
@home, which the last report on PLUG I saw was only 24.1.x.x -
24.14.x.x .  

YMMV.  RTFM.

\_ Actually, they may wise up and start running those scans from a
\_ nameserver.  (It's what I would do.)  Then you would have to allow DNS
\_ through while blocking all other ports from that IP, instead of blanket
\_ denying the IP.

What I'm more concerened with is if they don't scan from 24.x.....

David