From owner-freebsd-security  Fri Apr 27 12:38: 1 2001
Delivered-To: freebsd-security@freebsd.org
Received: from finch-post-11.mail.demon.net (finch-post-11.mail.demon.net [194.217.242.39])
	by hub.freebsd.org (Postfix) with ESMTP id 383CF37B424
	for <freebsd-security@freebsd.org>; Fri, 27 Apr 2001 12:37:58 -0700 (PDT)
	(envelope-from goddard@acm.org)
Received: from shootthemlater.demon.co.uk ([194.222.93.84] helo=cerebus.parse.net)
	by finch-post-11.mail.demon.net with esmtp (Exim 2.12 #1)
	id 14tE3w-000LZf-0B; Fri, 27 Apr 2001 19:37:56 +0000
Received: from wbra0013.cognos.com ([10.0.0.3] helo=acm.org)
	by cerebus.parse.net with esmtp (Exim 3.16 #1)
	id 14tD1J-000MCG-00; Fri, 27 Apr 2001 19:31:09 +0100
Message-ID: <3AE9BB34.B6C1676B@acm.org>
Date: Fri, 27 Apr 2001 19:32:20 +0100
From: David Goddard <goddard@acm.org>
X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Michael Scheidell <scheidell@fdma.com>
Cc: freebsd-security@freebsd.org, silby@silby.com
Subject: Re: Connection attempts (& active ids)
References: <200104260303.f3Q33CK49974@caerulus.cerintha.com> <Pine.BSF.4.31.0104260238340.8377-100000@achilles.silby.com> <001f01c0cf21$3b25fe70$0503a8c0@fdma.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Michael Scheidell wrote:
> 
> From: "Mike Silbersack" <silby@silby.com>
> > Well, by listening on more ports, you're just making yourself a more
> > appealing target.  As such, I don't think you're really increasing your
> > security.  It's attacks on the services that you're running which matter.
> >
> 
> who said I was listening on any ports?

Going back a few messages, it was me that said I was listening on
additional ports, with portsentry listening to port 111 among others.  I
disagree that it makes you a more appealing target - by connecting to
those ports, you get blocked and hence it no longer appears that there
is anything listening whatsoever.  I've had very few repeated connection
attempts from machines that have been blackholed by portsentry (although
they could always be coming back from another IP).  I still maintain
that careful use of portsentry is a good thing, although I'm open to any
decent argument to the contrary.

> icmp echo is blocked (ipfw deny)

I did this for a while but felt uncomfortable about it for no reason
that I could pin down (but probably because there are people who would
have a legitimate reason to ping).  I pass but log pings nowadays - I
get a surprisingly large number of people pinging me.

Dave

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message