Date: Wed, 12 Feb 2003 00:12:40 -0600 From: Redmond Militante <r-militante@northwestern.edu> To: Stephen Hilton <nospam@hiltonbsd.com>, freebsd-questions@freebsd.org Subject: Re: portsentry in combination with ipfilter Message-ID: <20030212061239.GB1381@darkpossum> In-Reply-To: <20030211235530.376a5763.nospam@hiltonbsd.com> References: <20030212043806.GA1267@darkpossum> <3662.10.0.0.2.1045025758.squirrel@mail.karamazov.org> <20030212050509.GA1381@darkpossum> <20030211235530.376a5763.nospam@hiltonbsd.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] hi thanks again. i think i'm going to move portsentry to hosts behind the gateway - makes more sense considering the info you sent, and then look into snort/tripwire on the gateway (i actually have tripwire installed, i just haven't generated a new config db lately, since i've been messing around with my configs so much). redmond > Redmond Militante <r-militante@northwestern.edu> wrote: > > > hi > > i've used portsentry on standalone workstations before with ipfilter setup as a > > +firewall, and for some reason, now when i'm trying to use it on a ipf/ipnat > > +gateway box, it's being really verbose about the ports it's binding to. if i > > +nmap a standalone workstation i have configured ipfilter/portsentry on, i don't > > +get the huge list of ports that it's binding to... i thought perhaps there was > > +a config option to hide this information > > Redmond, > > There is a good article regrading using portsentry @ > > http://www.sans.org/rr/intrusion/portsentry.php > > They talk about version 1 on Linux being able to monitor ports > using a socket instead of binding to a port, so this should > look different to an nmap scan. As to wheather or not FreeBSD > supports this feature, I do not know, Anyone out there chime in? > > > >From the SANS article > ----------------snip----------------- > Example One ? Default configuration > > By default, the portsentry.conf is designed to listen and block > attacking hosts using TCP Wrappers. The default configuration > is set up to bind with some of the most commonly probed TCP ports > and UDP ports on a Unix system. If any attacking host scans or > makes an attempt to attach to one of the PortSentry bound ports, > PortSentry will instantly drop the attacking host into the > hosts.deny file, thus blocking _ALL_ traffic from the attacking > IP address. > ----------------snip----------------- > > What bothers me about this method of defense is the possibilty > of an attacker causing a DOS by spoofing their source scan IP > and causing your system to deny traffic from a vaild host like > your upstream DNS server. > > I have not worked with portsentry at all so, this default > behavior is probably not the optimum way to use this tool. > > Scanning is so common on the net that the gain from this > seems minimal on a gateway firewall, inside your LAN is > another story ;-) > > As to system integrity checking, I like to use Aide, > found in /usr/ports/security/aide but tripwire is > probably a more commonly used tool. > > Using a tight ipf firewall in conjunction with snort on > a gateway firewall is a common and well liked setup. > > Regards, > > Stephen Hilton > nospam@hiltonbsd.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SeXXFNjun16SvHYRAigFAJ9kFpxEaR6bk+zBhXT4DpG9KTd9mgCfex1T JkqykgOpQW/WbHSyJfhhDec= =jJ78 -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030212061239.GB1381>