On Mon, 2006-03-20 at 17:43 +0200, Alexandru E. Ungur wrote: > >>> sender: "Craig White" date: "Mon, Mar 20, 2006 at 07:50:24AM -0700" <<<EOQ > > On Mon, 2006-03-20 at 13:33 +0200, Alexandru E. Ungur wrote: > > > Hi all, > > > > > > I appologise in advance if this is a little OT, but I am building > > > a box that will serve as firewall and router for a small 'internet > > > cafe / netcafe' and am using CentOS... > > > > > > So here it is: > > > What are the best tools to be used for keeping the potential > > > script kiddies from 'harming the Internet' :) ? I specifically want > > > to be able to detect and prevent portscans from LAN to Internet, and > > > any other malware activity the clients might think of. > > > > > > I am particularily interested in 'the CentOS way'. For example I > > > know there is psd module in patch-o-matic for iptables to be able > > > to do the portscan detection in firewall... but, that doesen't > > > feel like 'CentOS way' (because I have to build a cusom kernel) > > > unless there is some kernel (even 3rd part, unsuported/etc.) that > > > already has this in... > > > > > > Also I know of the portsentry tool, but the project seems pretty much > > > dead after Cisco bought Psyonic... and again is not on up2date's list... > > > > > > I intend to use Snort, though I hope that it won't share portsentry's > > > fate and become extinct after Check Point's acquisition of Sourcefire > > > will be completed. No FUD intended on this, optimistic views are always > > > highly welcomed :) > > > > > > Luckily denyhosts has no plans of selling itself to anyone so that's > > > one project I can safely use :) > > > > > > So, Open Source portscaner for CentOS... anyone... ? :) > > > > > > > > > Thank you for your time and help, > > ---- > > why not just use a proxy server like squid? > Thank you for the suggestion. Yep, Squid/Oops + Dansguardian, is very good > ideea and I'll probably use it. > > However how can that stop a kid to download the latest/coolest 'hacking > script' and start doing portscans & co. ? I don't want to limit what they > can access via web, but to limit what they can 'do to Internet' from their > Windows boxes through the gateway I am setting up. > I just don't like to have nobody messing on my FORWARD chains that's all ;) ---- perhaps you need to find out what squid / a proxy server will do. you pretty much control everything. Rather than masquerade the entire LAN which means that you have to start putting in rules to block things that they can't do, a proxy server would start with the premise that nothing works for the LAN users except that which is permitted. Basically, you would allow them to use a web browser but little else - so if they open a terminal and try to ping beyond the LAN, it dies there. Craig