From owner-freebsd-questions Tue Feb 11 21:56:11 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02A7437B401 for ; Tue, 11 Feb 2003 21:56:09 -0800 (PST) Received: from hermes.pressenter.com (hermes.pressenter.com [209.224.20.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0549F43FB1 for ; Tue, 11 Feb 2003 21:56:08 -0800 (PST) (envelope-from nospam@hiltonbsd.com) Received: from [198.31.224.247] (helo=daggar.sbgnet.net) by hermes.pressenter.com with smtp (Exim 3.16 #1) id 18ipsI-0000LD-00; Tue, 11 Feb 2003 23:56:02 -0600 Date: Tue, 11 Feb 2003 23:55:30 -0600 From: Stephen Hilton To: Redmond Militante Cc: freebsd-questions@FreeBSD.ORG Subject: Re: portsentry in combination with ipfilter Message-Id: <20030211235530.376a5763.nospam@hiltonbsd.com> In-Reply-To: <20030212050509.GA1381@darkpossum> References: <20030212043806.GA1267@darkpossum> <3662.10.0.0.2.1045025758.squirrel@mail.karamazov.org> <20030212050509.GA1381@darkpossum> X-Mailer: Sylpheed version 0.8.10 (GTK+ 1.2.10; i386-portbld-freebsd4.7) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 11 Feb 2003 23:05:09 -0600 Redmond Militante wrote: > hi > i've used portsentry on standalone workstations before with ipfilter setup as a > +firewall, and for some reason, now when i'm trying to use it on a ipf/ipnat > +gateway box, it's being really verbose about the ports it's binding to. if i > +nmap a standalone workstation i have configured ipfilter/portsentry on, i don't > +get the huge list of ports that it's binding to... i thought perhaps there was > +a config option to hide this information Redmond, There is a good article regrading using portsentry @ http://www.sans.org/rr/intrusion/portsentry.php They talk about version 1 on Linux being able to monitor ports using a socket instead of binding to a port, so this should look different to an nmap scan. As to wheather or not FreeBSD supports this feature, I do not know, Anyone out there chime in? From the SANS article ----------------snip----------------- Example One ? Default configuration By default, the portsentry.conf is designed to listen and block attacking hosts using TCP Wrappers. The default configuration is set up to bind with some of the most commonly probed TCP ports and UDP ports on a Unix system. If any attacking host scans or makes an attempt to attach to one of the PortSentry bound ports, PortSentry will instantly drop the attacking host into the hosts.deny file, thus blocking _ALL_ traffic from the attacking IP address. ----------------snip----------------- What bothers me about this method of defense is the possibilty of an attacker causing a DOS by spoofing their source scan IP and causing your system to deny traffic from a vaild host like your upstream DNS server. I have not worked with portsentry at all so, this default behavior is probably not the optimum way to use this tool. Scanning is so common on the net that the gain from this seems minimal on a gateway firewall, inside your LAN is another story ;-) As to system integrity checking, I like to use Aide, found in /usr/ports/security/aide but tripwire is probably a more commonly used tool. Using a tight ipf firewall in conjunction with snort on a gateway firewall is a common and well liked setup. Regards, Stephen Hilton nospam@hiltonbsd.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message