[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] PortSentry works !
- Subject: Re: [cobalt-users] PortSentry works !
- From: "Marc Gear" <marcg@xxxxxxxxxxxxxx>
- Date: Thu Mar 15 15:08:09 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
For those that asked, or dont know:
Portsentry is an extreemly overzealous piece of software, a bit like
zonealarm for win32.
It works in four modes normal TCP, normal UDP and stealth and advanced
stealth TCP. It works by listening on all your ports (normally all low ones)
for any packets. If it gets something its not expecting it can be figured
to either ignore it and log it in the syslog, put the originating ip in your
/etc/hosts.deny to prevent any wrappered services being used by the person
using the scanner, or dropping an ipchains rule to drop any packets from the
originating host at kernel level.
It works by detecting connections to ports that should not be in use on your
server (those that services are not running on) and then reacting according
to how you set it up. This protects your host by almost instantly stopping
port scans from a certian ip and alerting you via your syslog.
I had some big problems with the software, because of its reactive rather
than passive detection methods... I run a lot of different services, many on
non-standard ports for firewall access from where I work, configuration was
a nightmare and it took me a while to sort out. Anything but the normal
setting is totall overkill unless you are trying to run an invisible server.
I highly recommend the article below, it is a good (arbeit biased)
comparason between snort (passive port scan detection software) and psionics
Port Sentry:
http://www.linuxsecurity.com/articles/intrusion_detection_article-2655.html
I dont recommend trying to prosecute or retailiate against portscanners,
there are so many availiable, including ones with reverse-ident scanning,
that you cannot be sure who you are going after is the guilty party. If i
wanted to scan your network for illegitamate purpouses i would take over
another (innocent) host for the purpose of scanning you. I scan hosts a lot,
not for the purpose of owning thier box, but for my own network security.
A port scanner is more than a hacking tool.
--
/\/\ a R (