<snip> Anyway this is a Raq4 (fully patched inc SHP). ipchains (via pmfirewall) defaults to DENY all then ALLOW the services I am running. Portsentry (-stcp, -sudp) is set to a Trigger of 1 (paranoid)
But because ipchains is denying packets the monitored ports do not trigger Portsentry, causing the Raq to go into overdrive when a full port sweep is happening. (I like to see what ipchains is upto so it is logging) What I want is a default DENY policy but Portsentry to see the port scans and then drop the connections from that IP via ipchains. What is the best way to acheive this ? </snip> Huh!! You're currently blocking stuff using ipchains (the best way) and want to stop using this to use a program which checks for ports, then ADDS them to your ipchains block rules when they do a scan??? Seems strange to me, why do you want to do it this way round? Just set the common types of attacks you get to non-logging so the logs don't fill up quickly. Apart from that, you've got it spot on, ipchains is dropping packets at the best level. A better solution would be to get a hardware-based firewall to put in front of the machine, like a firebox or cisco kit, though i'm suspecting this isn't an option. Regards, Andy [EMAIL PROTECTED] http://www.raqpak.com/ <-- Raq/Qube unofficial PKGs and support advice _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
