[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] PortSentry works !
- Subject: Re: [cobalt-users] PortSentry works !
- From: "Nico Meijer" <cobalt-users@xxxxxxxxxxxxxxx>
- Date: Fri Mar 16 17:24:52 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi!
> > But how effectively *does* portsentry lock them out?
>
> That's a good question...I certainly don't know.
Depends on how you configure portsentry. BTW - portsentry doesn't (b)lock
anybody (out), but is able to use different methods/levels of (b)locking.
On a test machine, I use both the hosts.deny option and the ipchains option,
just to be sure. hosts.deny will kick in when a service is called thru
tcp-wrappers. ipchains reacts on packets, before tcp-wrappers might kick in.
BTW - ipchains will be called with the -l switch, which means logging is on.
You will see a kernel message of *every* single packet that the blocked IP
sends, so be careful. You can of course configure portsentry to not use
the -l switch, once you get used to its methods.
> I get very confused with a lot of this stuff...and when I RTFM I usually
> tirn towards the east and pray that someone learns how to write short
> sentances that are easy to comprehend.
Usually, HOWTO's tell you exactly what you didn't want to know. ;-)
For instance, I got scared by the PostgreSQL HOWTO by reading the first
chapters so gave up on it. Damn shame that turned out to be...
There are excellent scripts at hand for configuring ipchains. I use one in a
live environment that has saved my butt several times, but I'll have to
search to find it. It is maintained by the head guy at nerdherd.net.
Got it: http://www.linux.org/apps/AppId_816.html. I can't connect to
langistix.com, but perhaps you can?
> Maybe subscribe to the cobalt-security list?
Do that nonetheless, but also read up on any security related list you can
get your hands on. Cobalt OS is based on RedHat? Subscribe at RedHat,
excellent list. I received notification of a new package for bind *before* I
received a message stating that it was vulnerable.
> Yes, a "cook book" would be real handy.
Which isn't available as far as security is concerned. At least, I haven't
found it in my 3 year+ search. ;-)
One great source is http://www.openna.com/books/book.php. It has been
mentioned before, but it's worth mentioning again and again...
Have a safe one... Nico