Jacob Meuser wrote:
>It would seem to me to not be wise to trust something (assuming that
>thing is supposed to bring some kind of security) that binds to
>interfaces just to look busy, especially if it can't control what
>address it's listening on.
>
>This would also make writing filtering rules difficult, or, well, make
>portsentry useless, wouldn't it? Why let packets in just to go to
>a honey pot?
>
>Maybe I don't understand the point of portsentry.
>
From what I read, it sounds like there are three major modes or levels
of operation;
see the portsentry.conf file for details, it seems you just change the
commenting in there
to change the 'mode' as it were... in the advanced mode, portsentry will
immediately respond
to a portscan by adding an ipchains or iptables rule to block the
sender's IP. Immediately.
While this might seem *great* to users paranoid of getting scanned, it
is not necessarily
a good practice. It is an easy way to get yourself blocked, for
instance, if you're checking
out how well portsentry works!! And if your main access to the system
portsentry is running
on IS over the network, then the shooting of the feet is surely a risk :-/
Well if the point was to scare me, it worked. I almost shat myself when
I saw the portscan
say that I'm running things I cannot be running!!! Then again, if I was
a script kiddie I might
get excited and think I found new fodder, and maybe blow my cover or
something in all the
excitement. Duh, if I were a script kiddie I would say "oh, darned that
portsentry. it's so dumb."...
I would mch rather have the packets, to see what vulnerabilities are
expected when someone sees
my "open" ftp or irc ports... rather than just honey-potting them. What
login did they try?
What escape-character sequence? What is their DNA sequence, dammit?!
