"Gerald Waugh" <[EMAIL PROTECTED]> wrote: > I use to use portsentry but have given up on it. For one thing it keeps > a bunch of ports open that I don't use anyway, so it's kind of like entrapment > you catch people trying to access ports on the machine that are not in use > anyway.
Gerald, you can specify exactly which ports you want it to listen to. By allowing it to bind to ports that you don't use and would probably otherwise block with IPCHAINS, iptables, etc. is that hopefully you'll catch a hacker doing a port scan before they get to one of your active ports running real services and automatically drop their traffic in your firewall. BTW, IMO it's a good idea to flush all of the IPs associated with scan attempts a reasonable amount of time after they're added to the firewall. If your firewall rules become too cumbersome it starts to affect performance and since most hackers are probably connecting from dynamic IPs on dialups or rooted machines that aren't their own IMO in general there's little benefit to keeping those offending IPs listed more than a day or two, by which time the threat has probably passed. You probably know this or have your own mechanisms in place, just thought I'd share my opinion for anyone reading this. -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
