Re: Layering portsentry and ipchains

From: Fredderic (fredderic@iprimus.com.au)
Date: 12/15/02


From: "Fredderic" <fredderic@iprimus.com.au>
Date: Mon, 16 Dec 2002 01:20:02 +1000


> >> What is the point of that, when iptables is easily capable of
> >> reporting every single dropped or rejected packet in the first
> >> place without introducing a secondary and possibly tertiary
> >> processes?
> > PortSentry well iptables notice a system scanning ports on your
> > machine?
> If you apply the psd patch, yes.

Hmmm... I've never actually had need to apply a patch yet.

What exactly does the psd patch do, and/or involve?

> > Will it close the few open ports you have before that scan reaches
> > them, thus hiding your system totally?
> Why do they want hiding at all? Are you providing a service on them
> or not?

Yes, I am. For myself. The rest I can open up on demand, but I need to
leave at least one hole. And as I don't keep perfectly up to date on the
latest version, if someone were to stumble across my ssh daemon during a
random port scan, I would be well and truly stuffed.

In short, the fewer people who know it exists, the happier I'll be.

> If not, the firewall was badly designed; if so, you'll have tightened
> such configurations as are possible behind.

Appart from ssh, I allow only related/established. But if there's a
reasonably trivial way to fix even that, why not take it?

> > And logging every poke at your firewall might generate a fair bit of
> > data. Much better I'd think, to have a program monitoring such
> > activity and only logging a summary.
> fwlogwatch is your fwend(TM). I run it quarter-hourly from cron myself,
> outputs to an HTML file.

Hmmm..... Might be of some use...

> > You stick your upline DNS and other ISP services into the list of
> > trusted sites. Sure a DoS may take you off some miscelaneous
> > site you're accessing, but if it's a regular deal then you add it to the
> > list of trusted sites, and you can always manually overide the block.
> How do you manually override it when the box is 10 miles away in a
> secure location?

By ssh, and being very very careful not to let it block yourself. ;)

I've run into that problem myself. In my case though, the box was only 100
meters away. Trouble is I'd have had to pass through three locked and
alarmed doors to get to it, well and truely after hours. And since it was a
non-critical system in a room full of critical systems, security wouldn't
have been overly excited at the prospect of letting me in. ;)

> Portsentry is not suited to all uses. It is therefore not worth my while
> running it anywhere.

It doesn't seem suited to my use either. But I'm not going to say it's
unsuited to any use. A version of port sentry that ran off firewall logs
would probably do quite well. Except that you'd probably want to be logging
valid traffic as well as the bad stuff. So having it observe the traffic
rather than running off the logs would be preferable.

> > Like I said, it doesn't do much for me, but it would if it could see
> > what was hitting my firewall, instead of only what was getting
> > through.
> Drop & Log by default?

I do.

> Sift the results with
> fwlogwatch -s -d -t -z -y -n -p -w -l 1d -o fw.html -f /var/log/firewall

Haven't actually looked at that...

I've got snort running, which gives me a pretty nice rundown of what's going
on... But I'd prefer to be able to set more immediate responces.
Particularly since I'm using the machine I'm trying to protect.