Q on PortSentry

From: Philip Ching (605.734.71) (pching@aplcenMP.apl.jhu.edu)
Date: 02/20/02 

Date: Tue, 19 Feb 2002 23:25:07 -0500 (EST)
From: "Philip Ching (605.734.71)" <pching@aplcenMP.apl.jhu.edu>
To: security-discuss@linuxsecurity.com

Hi,

I installed "portsetry-1.0-11.i386.rpm" fine on PC-A (RedHat 7.1),
and turned it on by executing "portsentry -tcp".

I then used SAINT from PC-B (RedHat 7.2) to do heavy scan to PC-A.

I then observed many "attackalert" messages generated by portsentry
(in /var/log/messages on PC-A) which says PC-B has been blocked.

But the funny thing is I can still telnet into PC-A (from PC-B), and
I do not see any entry in /etc/hosts.deny.

Is this a correct behavior? Should my telnet be rejected by PC-A?

I remember the behavior of an older version: "portsentry-0.90.9386.rpm"
was correct, meaning PC-B will be blocked. I used to see /var/hosts.deny
has logged the IP address of PC-B, and I cannot telnet into PC-A
(from PC-B) after a heavy scan action

Is there anything wrong with "portsentry-1.0-11.i386.rpm", or the
older version "portsentry-1.0-11.i386.rpm" is better?

I appreciate any comments from you.

Thanks!

Philip

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.