From owner-freebsd-questions Tue Feb 11 22:21:50 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 498F037B401 for ; Tue, 11 Feb 2003 22:21:47 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68CE343F75 for ; Tue, 11 Feb 2003 22:21:46 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (1847d17425ad34b922577d8734788532@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1C6CejZ001582; Wed, 12 Feb 2003 00:12:40 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1C6Ce9g001581; Wed, 12 Feb 2003 00:12:40 -0600 (CST) Date: Wed, 12 Feb 2003 00:12:40 -0600 From: Redmond Militante To: Stephen Hilton , freebsd-questions@freebsd.org Subject: Re: portsentry in combination with ipfilter Message-ID: <20030212061239.GB1381@darkpossum> Reply-To: Redmond Militante References: <20030212043806.GA1267@darkpossum> <3662.10.0.0.2.1045025758.squirrel@mail.karamazov.org> <20030212050509.GA1381@darkpossum> <20030211235530.376a5763.nospam@hiltonbsd.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="H+4ONPRPur6+Ovig" Content-Disposition: inline In-Reply-To: <20030211235530.376a5763.nospam@hiltonbsd.com> User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --H+4ONPRPur6+Ovig Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi thanks again. i think i'm going to move portsentry to hosts behind the gateway - makes mo= re sense considering the info you sent, and then look into snort/tripwire o= n the gateway (i actually have tripwire installed, i just haven't generated= a new config db lately, since i've been messing around with my configs so = much). =20 redmond > Redmond Militante wrote: >=20 > > hi > > i've used portsentry on standalone workstations before with ipfilter se= tup as a > > +firewall, and for some reason, now when i'm trying to use it on a ipf/= ipnat > > +gateway box, it's being really verbose about the ports it's binding to= . if i > > +nmap a standalone workstation i have configured ipfilter/portsentry on= , i don't > > +get the huge list of ports that it's binding to... i thought perhaps = there was > > +a config option to hide this information >=20 > Redmond, >=20 > There is a good article regrading using portsentry @ >=20 > http://www.sans.org/rr/intrusion/portsentry.php >=20 > They talk about version 1 on Linux being able to monitor ports=20 > using a socket instead of binding to a port, so this should=20 > look different to an nmap scan. As to wheather or not FreeBSD=20 > supports this feature, I do not know, Anyone out there chime in? >=20 >=20 > >From the SANS article > ----------------snip----------------- > Example One ? Default configuration >=20 > By default, the portsentry.conf is designed to listen and block=20 > attacking hosts using TCP Wrappers. The default configuration=20 > is set up to bind with some of the most commonly probed TCP ports=20 > and UDP ports on a Unix system. If any attacking host scans or=20 > makes an attempt to attach to one of the PortSentry bound ports,=20 > PortSentry will instantly drop the attacking host into the=20 > hosts.deny file, thus blocking _ALL_ traffic from the attacking=20 > IP address.=20 > ----------------snip----------------- >=20 > What bothers me about this method of defense is the possibilty=20 > of an attacker causing a DOS by spoofing their source scan IP=20 > and causing your system to deny traffic from a vaild host like=20 > your upstream DNS server. >=20 > I have not worked with portsentry at all so, this default=20 > behavior is probably not the optimum way to use this tool. >=20 > Scanning is so common on the net that the gain from this=20 > seems minimal on a gateway firewall, inside your LAN is=20 > another story ;-) >=20 > As to system integrity checking, I like to use Aide,=20 > found in /usr/ports/security/aide but tripwire is=20 > probably a more commonly used tool. >=20 > Using a tight ipf firewall in conjunction with snort on=20 > a gateway firewall is a common and well liked setup. >=20 > Regards, >=20 > Stephen Hilton > nospam@hiltonbsd.com >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message >=20 --H+4ONPRPur6+Ovig Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SeXXFNjun16SvHYRAigFAJ9kFpxEaR6bk+zBhXT4DpG9KTd9mgCfex1T JkqykgOpQW/WbHSyJfhhDec= =jJ78 -----END PGP SIGNATURE----- --H+4ONPRPur6+Ovig-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message