Re: portsentry's stealth mode - works under fBSD with ipf?

From: Krzysztof Zaraska (kzaraska@student.uci.agh.edu.pl)
Date: 09/15/01


Date: Sat, 15 Sep 2001 16:16:26 +0200 (CEST)
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To: D J Hawkey Jr <hawkeyd@visi.com>

On Sat, 15 Sep 2001, D J Hawkey Jr wrote:

In some article regarding usage of portsentry on FreeBSD it was also said
that stealth mode works only under Linux. It may be because of the fact,
that raw sockets code may be unportable (I read this yesterday in raw(7)
on Linux).

> By way of further explanation, the cron'd script analyzes the read in
> log entries for blocked source IPs that either hit on the box a smallish
> number of times, each hit within a defined frequency (port scans and DOS
> attempts), or hit on the box at all a larger number of times (for more
> general idiocies).
There's an add-on for snort, called Guardian that reads the alert log file
in tail -f style (every 1 second IIRC) and updates firewall ruleset. I'm
not sure if it supports ipf right now but should be easily hackable (it's
a Perl script).

Personally, I'd rather use snort than portsentry since this is a more
flexible and powerful solution. And it can detect "stealth" port
scans under FreeBSD (verified personally). Basing on your description I
think it would suit your needs. See http://www.snort.org/

Regards,
Kris

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Portsentry and TCP wrappers on 4.x FreeBSD
    ... I am testing out PortSentry 1.0 on FreeBSD 4.x and I ... offending hosts via TCP wrappers? ... Get personalized email addresses from Yahoo! ...
    (FreeBSD-Security)
  • Re: SanDisk USB stick with FreeBSD 7
    ... Oops, hit the wrong reply button... ... FreeBSD 7 without any "magic" done to the system? ... allthough fdisk da0 showed the partition... ...
    (freebsd-questions)
  • Re: Panic during install on Sparc64 - Only with large HDD
    ... Will continue looking into the chipset docs and FreeBSD driver... ... > After this ran without a single error for about 20 hours, ... > started trying to hit the block that triggered the issue manually. ... Therefore, incrementing it by ...
    (freebsd-current)
  • 5.3-RC1 poor ATA perfomance
    ... I have hit a very strange problem with a poor ata perfomance. ...
    (freebsd-current)
  • Messed up CUPS configuration
    ... I'm currently switching to FreeBSD. ... Most things are going very well but every now and then I hit something which I can't solve on my own. ... has been specified and as a result the service won't start but I haven't been able to find the offending file. ...
    (freebsd-questions)