Re: Does Portsentry make sense if there is a packet filter?

From: Randy Ramsdell (me_at_somewhere.else)
Date: 06/22/04


Date: Mon, 21 Jun 2004 22:10:42 -0400


xasdfg123456@yahoo.com wrote:
>>Well, my question is, does Portsentry make sense at all in this case?
>>Because it binds to all those ports and waits for scans, which is great,
>>but due to my packet filter, there will never be a packet that reaches
>>those ports.
>>
>>Wouldn't the Right Thing to do be enabling logging via iptables?
>
>
> Portsentry does much more than log. Its most bitchin'st capability is
> to detect a port scan and throw the offending machine in
> /etc/hosts.deny. So set portsentry to watch certain ports (like
> telnet, or portmap) and wait for the intruders to come knocking. When
> they do, their IP will be forever blocked from accessing your system
> in any way, ever.
>
> Bill

I like portsentry, but it the company that made(Psonic sp?) was bought
by Cicso. I thought that was interesting. Anyway, from previous posts,
old versions are still availiable.

Portsentry will also block via Iptable, Ipchains, etc ... real-time, but
  this could also turn into a type of DOS if the i.p. is spoofed. Keep
that in mind.

Another feature is that it will respond to scans by running an arbituary
command at the offending host. (Not recommended by portsentry however)

Too bad no new version will be avaliable cuz it is a great program.

RCR