From owner-freebsd-security  Wed Apr 25 19: 1: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from anchor-post-31.mail.demon.net (anchor-post-31.mail.demon.net [194.217.242.89])
	by hub.freebsd.org (Postfix) with ESMTP id 761A537B424
	for <freebsd-security@freebsd.org>; Wed, 25 Apr 2001 19:01:02 -0700 (PDT)
	(envelope-from goddard@acm.org)
Received: from shootthemlater.demon.co.uk ([194.222.93.84] helo=cerebus.parse.net)
	by anchor-post-31.mail.demon.net with esmtp (Exim 2.12 #1)
	id 14sb5Z-0009ap-0V; Thu, 26 Apr 2001 03:01:01 +0100
Received: from wbra0013.cognos.com ([10.0.0.3] helo=acm.org)
	by cerebus.parse.net with esmtp (Exim 3.16 #1)
	id 14sX1q-0000Mj-00; Wed, 25 Apr 2001 22:40:54 +0100
Message-ID: <3AE744B2.186E5793@acm.org>
Date: Wed, 25 Apr 2001 22:42:10 +0100
From: David Goddard <goddard@acm.org>
X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Domas Mituzas <domas.mituzas@delfi.lt>
Cc: scheidell@fdma.com, freebsd-security@FreeBSD.ORG
Subject: Re: Connection attempts (& active ids)
References: <20010423231908.N574-100000@axis.tdd.lt>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Domas Mituzas wrote:
[...]
> Several days ago I gave a lesson to guys, running portsentry and similiar
> stuff with active blocking enabled. They did not believe they had any
> security breach, but after their own systems blocked all TLD servers, they
> removed portsentry immediately. [...]

Now, this sounds like you are suggesting that portsentry is a Bad Thing,
Period.  I'm not sure I agree here...

Root servers I hadn't considered (thanks!), but I run portsentry and
it's configured not to block any of the other machines essential to
server running (gateway, colo DNS, backup MX, my own IPs etc.) and I
don't give a toss if it blocks anything else temporarily (a luxury some
might not have, admittedly) - I can fix any obvious problems.

Simply by being sat there listening to port 111, portsentry blocks
several probably compromised systems a day from talking to my servers. 
Why should I not use it as a part of my security strategy?

I'm not trying to be combative, but you seem to believe this sort of
thing is fit for nothing and if I'm wrong I'd like to know it now rather
than later...

Dave

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message