Date: Wed, 12 Feb 2003 00:12:40 -0600 From: Redmond Militante <r-militante@northwestern.edu> To: Stephen Hilton <nospam@hiltonbsd.com>, freebsd-questions@freebsd.org Subject: Re: portsentry in combination with ipfilter Message-ID: <20030212061239.GB1381@darkpossum> In-Reply-To: <20030211235530.376a5763.nospam@hiltonbsd.com> References: <20030212043806.GA1267@darkpossum> <3662.10.0.0.2.1045025758.squirrel@mail.karamazov.org> <20030212050509.GA1381@darkpossum> <20030211235530.376a5763.nospam@hiltonbsd.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--H+4ONPRPur6+Ovig Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi thanks again. i think i'm going to move portsentry to hosts behind the gateway - makes mo= re sense considering the info you sent, and then look into snort/tripwire o= n the gateway (i actually have tripwire installed, i just haven't generated= a new config db lately, since i've been messing around with my configs so = much). =20 redmond > Redmond Militante <r-militante@northwestern.edu> wrote: >=20 > > hi > > i've used portsentry on standalone workstations before with ipfilter se= tup as a > > +firewall, and for some reason, now when i'm trying to use it on a ipf/= ipnat > > +gateway box, it's being really verbose about the ports it's binding to= . if i > > +nmap a standalone workstation i have configured ipfilter/portsentry on= , i don't > > +get the huge list of ports that it's binding to... i thought perhaps = there was > > +a config option to hide this information >=20 > Redmond, >=20 > There is a good article regrading using portsentry @ >=20 > http://www.sans.org/rr/intrusion/portsentry.php >=20 > They talk about version 1 on Linux being able to monitor ports=20 > using a socket instead of binding to a port, so this should=20 > look different to an nmap scan. As to wheather or not FreeBSD=20 > supports this feature, I do not know, Anyone out there chime in? >=20 >=20 > >From the SANS article > ----------------snip----------------- > Example One ? Default configuration >=20 > By default, the portsentry.conf is designed to listen and block=20 > attacking hosts using TCP Wrappers. The default configuration=20 > is set up to bind with some of the most commonly probed TCP ports=20 > and UDP ports on a Unix system. If any attacking host scans or=20 > makes an attempt to attach to one of the PortSentry bound ports,=20 > PortSentry will instantly drop the attacking host into the=20 > hosts.deny file, thus blocking _ALL_ traffic from the attacking=20 > IP address.=20 > ----------------snip----------------- >=20 > What bothers me about this method of defense is the possibilty=20 > of an attacker causing a DOS by spoofing their source scan IP=20 > and causing your system to deny traffic from a vaild host like=20 > your upstream DNS server. >=20 > I have not worked with portsentry at all so, this default=20 > behavior is probably not the optimum way to use this tool. >=20 > Scanning is so common on the net that the gain from this=20 > seems minimal on a gateway firewall, inside your LAN is=20 > another story ;-) >=20 > As to system integrity checking, I like to use Aide,=20 > found in /usr/ports/security/aide but tripwire is=20 > probably a more commonly used tool. >=20 > Using a tight ipf firewall in conjunction with snort on=20 > a gateway firewall is a common and well liked setup. >=20 > Regards, >=20 > Stephen Hilton > nospam@hiltonbsd.com >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message >=20 --H+4ONPRPur6+Ovig Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SeXXFNjun16SvHYRAigFAJ9kFpxEaR6bk+zBhXT4DpG9KTd9mgCfex1T JkqykgOpQW/WbHSyJfhhDec= =jJ78 -----END PGP SIGNATURE----- --H+4ONPRPur6+Ovig-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030212061239.GB1381>