From owner-freebsd-security  Sat Sep 15  6: 2:50 2001
Delivered-To: freebsd-security@freebsd.org
Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101])
	by hub.freebsd.org (Postfix) with ESMTP id 2EC7D37B40B
	for <freebsd-security@freebsd.org>; Sat, 15 Sep 2001 06:02:48 -0700 (PDT)
Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193])
	by breg.mc.mpls.visi.com (Postfix) with ESMTP id 4DDB32D0616
	for <freebsd-security@freebsd.org>; Sat, 15 Sep 2001 08:02:47 -0500 (CDT)
Received: (from hawkeyd@localhost)
	by sheol.localdomain (8.11.1/8.11.1) id f8FD2kj67278
	for freebsd-security@freebsd.org; Sat, 15 Sep 2001 08:02:46 -0500 (CDT)
	(envelope-from hawkeyd)
Date: Sat, 15 Sep 2001 08:02:46 -0500
From: D J Hawkey Jr <hawkeyd@visi.com>
To: security at FreeBSD <freebsd-security@freebsd.org>
Subject: portsentry's stealth mode - works under fBSD with ipf?
Message-ID: <20010915080246.A67204@sheol.localdomain>
Reply-To: hawkeyd@visi.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi.

I've been tinkering with dynamic "blacklisting" of source IPs, using
psionic's logtail utility and a cron'd shell script. It works well, but
I was wondering if it might be better to use their portsentry utility.

portsentry's docs says it's stealth mode only works under Linux; is this
true?

By way of further explanation, the cron'd script analyzes the read in
log entries for blocked source IPs that either hit on the box a smallish
number of times, each hit within a defined frequency (port scans and DOS
attempts), or hit on the box at all a larger number of times (for more
general idiocies).

If all of portsentry's features work under FreeBSD with ipf, I'd try my
hand at merging the script's analyses into portsentry. Or, merge that
logic into ipmon?

Dave

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message