Re: How to protect our RedHat 7.2 from port scanning?

From: Fredderic (fredderic@iprimus.com.au)
Date: 01/29/03 

From: "Fredderic" <fredderic@iprimus.com.au>
Date: Wed, 29 Jan 2003 23:04:22 +1000

> Do you actually trust portsentry enough to let it rewrite your
> iptables/ipchains rules on the fly ??
> Somebody sends packets your direction with a forged source
> address. The forged source address corresponds to that of your
> DNS server(s), portsentry reacts and blocks these addresses, and
> you are suddenly having a bad day !?

Have you read the PortSentry documentation, before making that comment? It
has this nifty little thing called a configuration file, with an equally
nifty feature to prevent it from blocking certain hosts.

Plus, with a bit of IQ applied, it's not too difficult to shunt portsentry's
rules off to an alternate chain, and just call that chain after allowing
specific exceptions such as DNS servers and a high-port sshd, for instance.
This is what I was doing for a while, until I decided to implement a default
drop policy (the sole reason I don't use it anymore).

In fact, since PortSentry can run any script you want when it detects a
scan, you can even perform a whois, grep it for abuse reporting address, and
hurl them a log of the scan. I'm not advocating that particular course of
action, but it's an example of what you can do.