[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] WebSite being Hacked!!!
>2. Configure CPMAD to send an e-mails to you (be careful with this you get a lot of e-mails) or browse your wf >log daily.If you see that you're being scanned then you can issue 'fw sam -i src <ip_address_you_wanna_block) >This way scanning connection is rejected.It is better then nothing but the disadvantage is that when fw sam Quick reminder on CPMAD: Remember that by Default only "Blocked_Connection_Port_Scanning" is ON. "Port_Scanning" is turned OFF. You can turn each type of attack recognition ON/OFF by editing the $FWDIR/conf/cpmad_config.conf file. Comments on their differences: "port_scanning" "blocked_connection_port_scanning" So what's the difference between the two attack detections? When would you need one and not the other? "port_scanning" is an encompassing attack detection option. It includes "blocked_connection_port_scanning". Therefore, we can say that "port_scanning" is a superset of "blocked_connection_port_scanning" - or say that "blocked_connection_port_scanning" is a subset of "port_scanning" Basically, "port_scanning" will detect any port scans directed from the same source IP to the same destination IP - irrelevent of whether the packet is ACCEPTED, DROPPED, or REJECTED. However, "blocked_connection_port_scanning" only detects port scans when the packets are REJECTED or DROPPED. This attack detection will not detect port scans to systems if those specific ports scanned for are ACCEPTED by the firewall. Usually, you will not turn both of these detection modes on - if you are allowing only specific protocols to specific servers, and are implementing the DROP RULE, then having "blocked_connection_port_scanning" will cover the port scans; because, your security policy will cause packets other than ACCEPTED destined to the systems to be DROPPED/REJECTED. Overall, "port_scanning" will be more memory and cpu intensive than "blocked_connection_port_scanning". Amin Tora, CISSP ePlus Technology http://www.eplus.com NASDAQ: PLUS ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|