<snip> Little bit more detail : I would prefer portsentry to see the incomming scan after 2 or 3 ports, then let ipchains DENY all from that particular IP, so to the attaker my box seems dead as they will get no response at all from any port. </snip>
Hi Peter, Think I have an understanding of what you're trying now, i'd suggest this: setup your firewall again, and this time leave out 3 other random port numbers in the privileged range. (obviously not ones already in use for any services you run) e.g. 540, 643, 1080 on TCP. Then make sure portsentry listens on those three IPs by adding them to the portsentry.conf file (These are there by default on the middle 'aware' line in the portsentry.conf) You're then getting the best of both worlds, where your ipchains is doing the real hard work generally blocking, but if a portscan comes in, portsentry should spot it happening on your 3 random port numbers and block the IP doing the attacking. Hope that achieves your goal! Regards, Andy [EMAIL PROTECTED] http://www.raqpak.com/ <-- Raq/Qube unofficial PKGs and support advice _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
