Table of Contents
Advertisement
The list of network ports that can be monitored can be edited freely. In addition, several short cut
buttons are available which provide pre-selected lists of services to monitor. The basic button
installs a bare bones selection of ports to monitor whilst still providing sufficient coverage to detect
many intruder scans. The standard option extends this coverage by introducing additional
monitored ports so that most intruder scans will be detected early. The strict button installs a
comprehensive selection of ports to monitor that should be sufficient to detect all but the stealthiest
of scans.
The trigger count specifies the number of times a host is permitted to attempt to connect to
monitored services before being blocked. This option only has an effect if one of the blocking
options above is enabled. Generally, the value of the trigger count should be in the 0 to 2 range. A
setting of 0 represents an immediate blocking of probing hosts. Larger settings mean more attempts
are permitted before blocking and whilst allowing the attacker a little more latitude, such settings
will reduce the number of false positives.
The ignore list contains a listing of host IP addresses which are to be ignored by IDB for detection
and blocking purposes. This list may be free extended so that trusted servers and hosts will not be
blocked. The two addresses 0.0.0.0 and 127.0.0.1 cannot be removed from the ignore list since they
represent the IDB host.
Warning:
A word of caution about automatically blocking UDP requests. Because the source
address of such requests can be forged by an attacker without much difficulty, a host that
automatically blocks UDP probes can be tricked into restricting access from legitimate
services. Proper firewall rules and ignored hosts lists will significantly reduce the risk of this
happening.
Firewall
63
Advertisement
Table of Contents
