> How do you combine your firewall with portsentry. It seems to me > that a good firewall has a default drop policy, so probes and > scans will be blocked by the firewall, and never reach portsentry.
That's correct; so i open the ipchains firewall for "trap ports". > The goal is reached, bad guys stay out, but I'd prefer to somehow > make portsentry check the data as well. I prefer to know if > someone scanned my network. Most of the information can be read > from the firewall logs, but it would require a big bunch of > scripts (pretty much rewriting portsentry) to see the big picture > with many scans. For that i use logcheck and do log as few as possible. > A solution might be to run portsentry on a box outside my firewall, > but for me thats not an option. Well with ipchains and no separate hardware firewall this is no problem. > Another possibility would be to forward all packets that would have > been dropped, to a machine inside my firewall, and check them their. > This doesn't sound very good to me either. Anyone has some thoughts > on this (combining a firewall with portsentry (or snort))? I do not have a real firewall, so i can't tell you solutions for this. But i've stopped caring much about script kiddies scanning my network; it happens too often and i can't do anything about it but log... Greetings, Erich
