On Tue, Jan 23, 2001 at 05:19:24PM -0600, David Duffey wrote: > On Tue, Jan 23, 2001 at 11:45:28AM -0500, Gord Mc . Pherson wrote: > > I'd also concur with a previous comment about 'portsentry', since it's > > possible to spoof an address and have portsentry block it.. it there for > > becomes an effective tool for a hacker to use as a DoS. For example, I > > could find out what your ISP's DNS servers are, spoof those addresses and > > have your portsentry block them. This would cut you off from the net until > > you manually corrected it. > > Actually that will not happen to me, or anyone else installing the debian > portsenty > package because that is NOT the way that debian ships portsentry by default, > and there > is even a comment about spoofing in the portsentry config file: > > # I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS > # AGAINST THE HOST SCANNING YOU. TCP/IP is an *unauthenticated protocol* > # and people can make scans appear out of thin air. The only time it > # is reasonably safe (and I *never* think it is reasonable) to run > # reverse probe scripts is when using the "classic" -tcp mode.
I agree with this point too. > granted this is in the section talking about the KILL_RUN_CMD, but it's pretty > obvious that this applies to other KILL_.*_CMDs also. > > The only thing I use portsentry for is for information gathering, and that, > is the > most important aspect of a securing a system (knowledge of the system). My > "real" > security is in a less-dynamic way through rp_filter, ipchains, tcp-wrappers > and > chroot'ed environments. > > I only recommened portsentry as an informational tool (as the original poster > requested) And if the license for portsentry is an issue, you could also consider scandetd, which is a portscan detector released under the GPL. -- --Brad ============================================================================ Bradley M. Alexander, CISSP | Co-Chairman, Beowulf System Admin/Security Specialist | NoVALUG/DCLUG Security SIG Winstar Telecom | [EMAIL PROTECTED] (703) 889-1049 | [EMAIL PROTECTED] ============================================================================ Time is what keeps everything from happening to us all at once.
pgpq9TxkhHvwC.pgp
Description: PGP signature
