From owner-freebsd-security  Fri Mar 15 13:29:12 2002
Delivered-To: freebsd-security@freebsd.org
Received: from tesla.foo.is (tesla.reverse-bias.org [217.151.166.96])
	by hub.freebsd.org (Postfix) with ESMTP id 672EF37B402
	for <freebsd-security@freebsd.org>; Fri, 15 Mar 2002 13:28:50 -0800 (PST)
Received: from germanium (germanium.reverse-bias.org [192.168.1.1])
	by tesla.foo.is (Postfix) with SMTP
	id 20AA0276B; Fri, 15 Mar 2002 21:28:44 +0000 (GMT)
Content-Type: text/plain;
  charset="iso-8859-1"
From: Baldur Gislason <baldur@foo.is>
To: "Jesper Wallin" <z3l3zt@phucking.kicks-ass.org>
Subject: Re: Is PortSentry really safe to use?
Date: Fri, 15 Mar 2002 21:30:23 +0000
X-Mailer: KMail [version 1.2]
References: <2332.213.112.58.232.1016226432.squirrel@phucking.kicks-ass.org>
In-Reply-To: <2332.213.112.58.232.1016226432.squirrel@phucking.kicks-ass.org>
Cc: freebsd-security@freebsd.org
MIME-Version: 1.0
Message-Id: <02031521302303.03229@germanium>
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

That's right, you cannot rely on portsentry in "stealth scan" mode, since SYN 
packets are easily spoofable.

Baldur

On Friday 15 March 2002 21:07, you wrote:
> Hey..
>
> Lets say I want to hide all my services by changing the standard ports on
> all server and run PortSentry.. I used to run my system like that before
> but yesterday a friend of mine was talking about a little security issue..
>
> Lets say we run a system like that on www.blah.com, what happens if I run a
> traceroute on it and fake a portscan from his default gateway? Sure he can
> add the default gateway to the portsentry.ignore file but then I just take
> the box before that and the one before that and the... and so on..
>
> Isn't PortSentry more like a problem then a help then? I'm not sure if all
> fo this work but I know it's possible to fake portscans with softwares like
> "rain" and other "custom packets" programs.
>
>
> Jesper Wallin (aka Z3l3zT)
> "it's better to be a lame hacker than a hacked lamer"
>
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message