[TriLUG] Security question

[Mike Johnson]

Chris Knowles [knowlesc at telocity.com] wrote:
> I've got a question for all teh security conscious people out there...
> 
> If you are running telnet and an unpatched WU-FTPD and need to have CVS 
> pserver running...

And your IP address is...?
 
> So, is it better to have a firewall that drops almost everything to the 
> ground, or one that is open until it detects a scan?  My gut says to drop 
> everything, if they can't get in they can't get in.  But, it's kinda neat to 
> see the attempted scans.

I think it's much better to just drop everything on the floor.
You'll have your iptables logs, and you can pretty easily
deduce a scan from them.

Frankly, I don't care about the packets that don't get through.  I
care much more about the ones that -do- get through.  Watching the
port scans is fun for a few days, but it gets old.  I think
you'll be much better off just reading your firewall logs and
dropping all.

Mike
-- 
Never trust a man who puts anything other than a finger up his nose. - _Snatch_