|
|
Security Basics
IDS which denies access after one "false" scanned port Dec 21 2011 12:20PM Martin T (m4rtntns gmail com) (4 replies) Re: IDS which denies access after one "false" scanned port Dec 22 2011 01:58PM Brent Huston (lbhlists gmail com) Re: IDS which denies access after one "false" scanned port Dec 22 2011 02:41AM Todd Haverkos (infosec haverkos com) Re: IDS which denies access after one "false" scanned port Dec 21 2011 04:44PM Matthew Caron (Matt Caron sixnet com) (1 replies) Re: IDS which denies access after one "false" scanned port Dec 21 2011 06:51PM Orlando Leon (sabalo22 gmail com) |
|
Privacy Statement |
consultants from IBM for a project I audited, as part of one of their
outsourced websphere systems. I do not know the actual IDS, but it
made the audit damn difficult, as it was also prone to locking me out
whenever I caused too many server errors (where too many was something
~50 HTTP 400s or 500s in a 15m period). Burp's automated intruder,
directory scans, etc. were all worthless as a result.
Did manage some success using purely manual testing, mostly simple XSS
attacks though, worked well on the language selection ;)
On 12/21/2011 02:20 PM, Martin T wrote:
> I found a webserver, which serves webpage on TCP port 80, but in case
> I try to connect to any other TCP port, my IP will be blocked for
> 10min. Example below:
>
> [root@ ~]# ping -qc1 www.<domain>.com
> PING www.<domain>.com (10.10.10.3): 56 data bytes
>
> --- www.<domain>.com ping statistics ---
> 1 packets transmitted, 1 packets received, 0.0% packet loss
> round-trip min/avg/max/stddev = 1.793/1.793/1.793/0.000 ms
> [root@ ~]# telnet www.<domain>.com 80
> Trying 10.10.10.3...
> Connected to www.<domain>.com.
> Escape character is '^]'.
> Connection closed by foreign host.
> [root@ ~]# telnet www.<domain>.com 37219
> Trying 10.10.10.3...
> ^C
> [root@ ~]# telnet www.<domain>.com 80
> Trying 10.10.10.3...
> ^C
> [root@ ~]# ping -qc1 www.<domain>.com
> PING www.<domain>.com (10.10.10.3): 56 data bytes
>
> --- www.<domain>.com ping statistics ---
> 1 packets transmitted, 0 packets received, 100.0% packet loss
> [root@ ~]#
>
>
> Anyone seen such behavior before? Is it somehow possible to
> detect/guess, which IDS this might be? Any other suggestions how to
> find out more information about this IDS and server behind it?
>
>
> regards,
> martin
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk7yDOIACgkQR20n45b986G89wCfcJJ2i5ovk17XWAV0dmu5bcTG
uFkAnjiunPIMKwzSY5oWNKHTmMaycYm6
=alli
-----END PGP SIGNATURE-----
[ reply ]