On Tue, Jan 23, 2001 at 05:19:24PM -0600, David Duffey wrote:
> On Tue, Jan 23, 2001 at 11:45:28AM -0500, Gord Mc . Pherson wrote:
> > I'd also concur with a previous comment about 'portsentry', since it's possible
>to spoof an address and have portsentry block it.. it there for becomes an effective
>tool for a hacker to use as a DoS. For example, I could find out what your ISP's DNS
>servers are, spoof those addresses and have your portsentry block them. This would
>cut you off from the net until you manually corrected it.
>
> Actually that will not happen to me, or anyone else installing the debian portsenty
> package because that is NOT the way that debian ships portsentry by default, and
>there
> is even a comment about spoofing in the portsentry config file:
>
> # I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
> # AGAINST THE HOST SCANNING YOU. TCP/IP is an *unauthenticated protocol*
> # and people can make scans appear out of thin air. The only time it
> # is reasonably safe (and I *never* think it is reasonable) to run
> # reverse probe scripts is when using the "classic" -tcp mode.
I agree with this point too.
> granted this is in the section talking about the KILL_RUN_CMD, but it's pretty
> obvious that this applies to other KILL_.*_CMDs also.
>
> The only thing I use portsentry for is for information gathering, and that, is the
> most important aspect of a securing a system (knowledge of the system). My "real"
> security is in a less-dynamic way through rp_filter, ipchains, tcp-wrappers and
> chroot'ed environments.
>
> I only recommened portsentry as an informational tool (as the original poster
>requested)
And if the license for portsentry is an issue, you could also consider
scandetd, which is a portscan detector released under the GPL.
--
--Brad
============================================================================
Bradley M. Alexander, CISSP | Co-Chairman,
Beowulf System Admin/Security Specialist | NoVALUG/DCLUG Security SIG
Winstar Telecom | [EMAIL PROTECTED]
(703) 889-1049 | [EMAIL PROTECTED]
============================================================================
Time is what keeps everything from happening to us all at once.
PGP signature
