Date: Tue, 11 Feb 2003 23:55:30 -0600 From: Stephen Hilton <nospam@hiltonbsd.com> To: Redmond Militante <r-militante@northwestern.edu> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: portsentry in combination with ipfilter Message-ID: <20030211235530.376a5763.nospam@hiltonbsd.com> In-Reply-To: <20030212050509.GA1381@darkpossum> References: <20030212043806.GA1267@darkpossum> <3662.10.0.0.2.1045025758.squirrel@mail.karamazov.org> <20030212050509.GA1381@darkpossum>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 11 Feb 2003 23:05:09 -0600 Redmond Militante <r-militante@northwestern.edu> wrote: > hi > i've used portsentry on standalone workstations before with ipfilter setup as a > +firewall, and for some reason, now when i'm trying to use it on a ipf/ipnat > +gateway box, it's being really verbose about the ports it's binding to. if i > +nmap a standalone workstation i have configured ipfilter/portsentry on, i don't > +get the huge list of ports that it's binding to... i thought perhaps there was > +a config option to hide this information Redmond, There is a good article regrading using portsentry @ http://www.sans.org/rr/intrusion/portsentry.php They talk about version 1 on Linux being able to monitor ports using a socket instead of binding to a port, so this should look different to an nmap scan. As to wheather or not FreeBSD supports this feature, I do not know, Anyone out there chime in? From the SANS article ----------------snip----------------- Example One ? Default configuration By default, the portsentry.conf is designed to listen and block attacking hosts using TCP Wrappers. The default configuration is set up to bind with some of the most commonly probed TCP ports and UDP ports on a Unix system. If any attacking host scans or makes an attempt to attach to one of the PortSentry bound ports, PortSentry will instantly drop the attacking host into the hosts.deny file, thus blocking _ALL_ traffic from the attacking IP address. ----------------snip----------------- What bothers me about this method of defense is the possibilty of an attacker causing a DOS by spoofing their source scan IP and causing your system to deny traffic from a vaild host like your upstream DNS server. I have not worked with portsentry at all so, this default behavior is probably not the optimum way to use this tool. Scanning is so common on the net that the gain from this seems minimal on a gateway firewall, inside your LAN is another story ;-) As to system integrity checking, I like to use Aide, found in /usr/ports/security/aide but tripwire is probably a more commonly used tool. Using a tight ipf firewall in conjunction with snort on a gateway firewall is a common and well liked setup. Regards, Stephen Hilton nospam@hiltonbsd.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211235530.376a5763.nospam>