>>> And the portsentry alternative to deal with 20+ scans per >>day is....? >> >>Good host-based IDS, updated patches, a hardened server, and >>a vigilant >>admin. > >No doubt you are right. However, Portsentry's function isn't only to >block IPs. It also alerts a vigilant admin to any number of suspicious >activities that go on. Whereas Portsentry was not designed to be nor >should be the ONLY deterrent against h4cker5, it can certainly be a >valuable time-saver for some of those vigilant admins, who have little >time as it is to read through milions of lines of log files every day. >(Yes, I exaggerate. But that's really what it feels like.) > >>> Are you suggesting that running without Portsentry is >>better than running >>with it? > >Therefore, I conclude, running Porsentry is better than not running >it. Exactly. I don't think anyone on this thread expected to run JUST PortSentry then go back to la-la land and forget about security. My servers are diligently patched, cgi's are monitored, ipchains is implemented, logcheck sends me a report regularly and I find it much easier to be vigilant with these tools helping me. To just blanket announce that one doesn't like a tool like Portsentry and that it shouldn't be used is a dis to the programs authors and to the professionals who've recommended it as PART of a security plan. Another dis I recently ran across was a "old-wise one" proclaiming on his security dissertation website that old pro Administrators hated getting scan reports and usually just tossed them with no action. With an attitude like that is it any wonder that the hackers/script kiddies are continuing to bring down chunks of the Internet with their DoS attacks etc with impunity? Sending a short professional heads-up scan report to the admins of public servers that have obviously been hacked and who's network resources are being used for intrusive scanning (finding more zombies to enlist for their DoS attacks)hopefully helps stem the tide a little bit. This week alone I alerted at least 5 corporate IT admins, 2 FEDERAL gov agencies , 3 .edu's, a US Army dial-up admin, and a handful of SOHO server owners that their machines/networks were compromised. Their servers were taken off line and most later confirmed that they did indeed have a problem. Tony _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
