Re: Connection attempts (& active ids)

From: David Goddard (goddard@acm.org)
Date: 04/25/01


Date: Wed, 25 Apr 2001 22:42:10 +0100
From: David Goddard <goddard@acm.org>
To: Domas Mituzas <domas.mituzas@delfi.lt>

Domas Mituzas wrote:
[...]
> Several days ago I gave a lesson to guys, running portsentry and similiar
> stuff with active blocking enabled. They did not believe they had any
> security breach, but after their own systems blocked all TLD servers, they
> removed portsentry immediately. [...]

Now, this sounds like you are suggesting that portsentry is a Bad Thing,
Period. I'm not sure I agree here...

Root servers I hadn't considered (thanks!), but I run portsentry and
it's configured not to block any of the other machines essential to
server running (gateway, colo DNS, backup MX, my own IPs etc.) and I
don't give a toss if it blocks anything else temporarily (a luxury some
might not have, admittedly) - I can fix any obvious problems.

Simply by being sat there listening to port 111, portsentry blocks
several probably compromised systems a day from talking to my servers.
Why should I not use it as a part of my security strategy?

I'm not trying to be combative, but you seem to believe this sort of
thing is fit for nothing and if I'm wrong I'd like to know it now rather
than later...

Dave

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Does Portsentry make sense if there is a packet filter?
    ... I've just set up some new servers, ... Well, my question is, does Portsentry make sense at all in this case? ... Because it binds to all those ports and waits for scans, which is great, ... but due to my packet filter, there will never be a packet that reaches ...
    (comp.os.linux.security)
  • Re: Port 135 Scans - A Portsentry bonanza !!
    ... > i`m running portsentry on a cobalt raq 4 webserver ... > port 135. ... If you use normal mode (not using stealth mode) it's just ...
    (Security-Basics)
  • Port 135 Scans - A Portsentry bonanza !!
    ... i`m running portsentry on a cobalt raq 4 webserver ... port 135. ... As just banning them doesnt seem ...
    (Security-Basics)