Re: Does Portsentry make sense if there is a packet filter?

From: Randy Ramsdell (me_at_somewhere.else)
Date: 06/22/04


Date: Mon, 21 Jun 2004 22:10:42 -0400


xasdfg123456@yahoo.com wrote:
>>Well, my question is, does Portsentry make sense at all in this case?
>>Because it binds to all those ports and waits for scans, which is great,
>>but due to my packet filter, there will never be a packet that reaches
>>those ports.
>>
>>Wouldn't the Right Thing to do be enabling logging via iptables?
>
>
> Portsentry does much more than log. Its most bitchin'st capability is
> to detect a port scan and throw the offending machine in
> /etc/hosts.deny. So set portsentry to watch certain ports (like
> telnet, or portmap) and wait for the intruders to come knocking. When
> they do, their IP will be forever blocked from accessing your system
> in any way, ever.
>
> Bill

I like portsentry, but it the company that made(Psonic sp?) was bought
by Cicso. I thought that was interesting. Anyway, from previous posts,
old versions are still availiable.

Portsentry will also block via Iptable, Ipchains, etc ... real-time, but
  this could also turn into a type of DOS if the i.p. is spoofed. Keep
that in mind.

Another feature is that it will respond to scans by running an arbituary
command at the offending host. (Not recommended by portsentry however)

Too bad no new version will be avaliable cuz it is a great program.

RCR



Relevant Pages

  • Re: Firewall, PortSentry, and ports
    ... > PortSentry, and making a hole in the firewall for port one (and other ... -- use connection tracking to monitor stream state, ie., monitor which ... ports like ftp, smtp, ssh, telnet, dns, and netbios with iptables. ...
    (comp.os.linux.setup)
  • Re: first attempt at security
    ... portsentry opens up lots of *fake* listening ports. ... restart inetd **make sure portsentry doesn't restart ...
    (Security-Basics)
  • Re: Automatic blocking
    ... The answer to your question is portsentry. ... monitoring a list of ports for incoming connections. ... If you are the only user to connect remotely via sshd, ... the easiest way to foil sshd brute force attacks is to run ...
    (Fedora)
  • Re: [SLE] NFS server and Suse Firewall
    ... I've had a few config problems w/firewall, ... small parttime file server-- and then starting portsentry. ... checked the logs to see which ports were in use & eliminated them from the ...
    (SuSE)
  • Re: n00b ipf/ipnat questions
    ... > portsentry listening on them. ... If you use a ruleset that blocks all ports and allows only certain ... incoming packets, portsentry won't ever get a chance of seeing the ... This will not show anything to an nmap scan. ...
    (FreeBSD-Security)