Re: Deny rules...

From: Jim Harrison [MSFT] (jmharr_at_online.microsoft.com)
Date: 04/11/04 

Date: Sun, 11 Apr 2004 10:56:27 -0700

The fact is, if ISA reported an "attack" from that IP, it was already blocked.
The script isn't making you "more secure" it's making you "more blind".

Scanners don't do you any harm if ISA doesn't respond; they can't even tell if you're there. 

-- 
 Jim Harrison [ISASE]
 Read the help, books and articles!
 This posting is provided "AS IS" with no warranties, and confers no rights.
"Steinarr.G." <steinki@dynamicsystems.dk> wrote in message news:%23U0pnbxHEHA.1528@TK2MSFTNGP09.phx.gbl...
Thanks good point..
The way i do it.. is everything has to do with clients sets conserning
remote access ..
The Script makes sure the ip to be blocked is not itīs own ip.
I have few outside servers to connect from to my servers and i get mails
conserning everything
and most cases i have very important things be sent to me by SMS message to
my telephone.
I have my ISA with its reporting system.. and then i have Snort inside my
reporting direct to SMS.
Still there are holes iīm working on that i consider risky ..iīm hoping to
be lucky untill iīm finished.
I just feel like i must get this to block auto even if not for a short
period of time, i thouhgt it might be smarter than
noting at all.
But as you say this mack addres spoof is actually to easy with macspoof in
lin that you got me to think . =)
Still i think about if itīs not better to block 99% of scanners  and then
when he or himm who knows his way around
and will get trouhg  no matter if i have this auto block or not...
Please tell me if i make sence or what you think.. !
==================================
Regards.
Steinki.
"Jim Harrison [MSFT]" <jmharr@online.microsoft.com> wrote in message
news:%237B3lLxHEHA.716@TK2MSFTNGP12.phx.gbl...
> Don't use that script unless you like pulling your hair out.
> There is no way a script can accurately determine whether or not a single
"event" is worth blocking all traffic from a single IP.
> With the data available to the script, all it takes is one attack from
someone spoofing your own IP and you're out of business.
>
> Learn to read and analyze your ISA logs.
> -- 
>  Jim Harrison [ISASE]
>  Read the help, books and articles!
>
>  This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "Steinarr.G." <steinki@dynamicsystems.dk> wrote in message
news:%23oIZxlqHEHA.3696@TK2MSFTNGP10.phx.gbl...
> good scripts there.
>
> But i still have the same bug..
> I tested this great blockAtacker and it works to create the rule..
>
> but i have the same bug..   it does not affect published servers .
>
> The way i test this.. is i scan from a server elsewhere.. and see the rule
> created..
>
> then i test a web page .. behind a published server.. and it shows..
> then i telnet the site on port 80 to be sure   and it answers fine.
>
>
> Any ideas ? ..
>
> Regards
> Steinki.
>
>
>
>
>
>
> "Tony Su" <anonymous@discussions.microsoft.com> wrote in message
> news:1aaba01c41e9b$a9c264f0$a301280a@phx.gbl...
> The code is pretty much spelled out in a page at
> msdn.microsoft.com, this code was created awhile ago.
> Configure IDS alerts to trigger and run the script.
>
> http://www.toolzz.com/Downloads/ISATools/Jalojash/BlockAtta
> cker.zip
>
> Before deploying, understand how it works and if you
> accidentally block yourself how to regain access to your
> server so you can remove the block.
>
> I have found that although a block can be created for any
> one address on the external inteface, the actual effect is
> to a block which effectively denies to <all> IP addresses
> on the external interface.
>
> Tony Su
>
>
>
>
>
>
> >-----Original Message-----
> >Hi.
> >
> >I.m cowboycoding deny script to create automatic deny
> packed filters
> >triggered by action,
> >they get created and look perfect but they just dont
> block..
> >
> >pf.PacketDirection = fpcPfDirectionIndexBoth
> >pf.SetLocalHost fpcPfDefaultProxyExternalIp
> >pf.LocalPortType = fpcPfAnyPort
> >pf.RemotePortType = fpcPfAnyRemotePort
> >pf.SetRemoteHost fpcPfSingleHost, WshEnv
> ("ALERT_PARAMETER_1")
> >
> >Even when i create them manually they just dont affect
> servers that are
> >published.
> >
> >I  have about 60 ipīs on my external interface and
> servers that are
> >published have one ip each .
> >
> >Is it possible that deny rules dont work for this ? or am
> i doing the whole
> >thing wrong..?
> >
> >Any info would be nice..
> >Regards.
> >Steinki..
> >
> >
> >
> >.
> >
>
>
>

Relevant Pages

  • Re: Deny rules...
    ... services client I have not implemented it. ... Tony Su ... >The Script makes sure the ip to be blocked is not itīs ... >I have few outside servers to connect from to my servers ...
    (microsoft.public.isa)
  • Re: Software configuration management tool required
    ... If it automates ... and 100-ish servers, it's just not going to happen. ... you test it by running the rc?.d script that init will ... > because Oracle or some vendor tells them to do so. ...
    (comp.unix.admin)
  • Re: trouble with a script
    ... Your snippet of code doesn't look like sh on FreeBSD. ... Basically, I want my script to prompt me for two inputs, then append to ... The user input would be "domain.com", ... is how we set up a client's site on our servers. ...
    (comp.unix.shell)
  • Re: trouble with a script
    ... Your snippet of code doesn't look like sh on FreeBSD. ... Basically, I want my script to prompt me for two inputs, then append to ... The user input would be "domain.com", ... is how we set up a client's site on our servers. ...
    (comp.unix.shell)
  • Re: login script failing?
    ... Well if all DCs are in same site/local lan, and only some mappings ... If you manually run that script after user logs on does the mapping occur? ... How do you know whch servers are the users logging on? ... relevant servers but no matter what I put in the login script, ...
    (microsoft.public.windows.server.active_directory)