On Thu, 2002-01-17 at 14:45, Jacob Meuser wrote: > On Thu, Jan 17, 2002 at 09:48:08AM -0800, Christopher Maujean wrote: > > Portsentry is about setting up claymores on trip lines at all entrances > > to your camp that you don't want to have to post an actual guard at. > > The reasoning in war is that soldiers are too expensive. What's > expensive about packet filtering, tcpwrappers, and only listening > on addresses/ports that absolutely need to be listened to?
If someone is doing portscans and you catch them on a port you are not using first and blackhole them, its much less likely that they will be connecting to a port you are using and running an unknown exploit. > > > Has anyone read the documentation? There seem to be alot of uninformed > > assumptions being thrown about. > > |From README.install: > | > |The purpose of this is to give an admin a heads up that their host is > |being probed. There are similar programs that do this already (klaxon, > |etc.) We have added a little twist to the whole idea (auto-blocking), plus > |extensive support for stealth scan detection. > > OK, so you're running stuff that may be exploitable, and you want to know > when the script kiddies come around so you can supervise their activities? > > You could do this by monitoring log growth rates. Portsentry does this for me, leaving me to do fulfilling work like creating encrypted filesystems based on the loop device. I don't actually run portsentry myself anymore, it doubles to quadruples the size of my log files. But it does have its use, and as the docs say, when used in conjunction with logcheck it'll let me know that, right now, some script kiddie is scanning my system with the rootkit script of the day. It also detects stealth scans better than most other tools I have seen. > You can get really fine grained without interrupting normal activity > with tcpdump. You can read the "attack of the week" documentation and > dump only packets fitting the patterns of those attacks. > > > This thread is a good example of where most distros go wrong, they > > assume that they know which services and how you want/should set them up > > and do it for you on install. I've about had it with distributions. They > > are starting to feel quite a bit like installing windoze. You should > > have to go _enable_ services you want, not disable services you don't. > > I'm starting to agree with Justin. > > I'll have homemade CDs of OpenBSD 3.0-stable (as of 2002-01-16) and > OpenBSD 3.0-current (as of 2002-01-15) at tonight's meeting, but I > prolly won't be there 'til 7 or so. > > Homemade means I compiled all the binaries, so ... source for base and > XFree86 4.1.0 and the ports tree included! (Including some extra ports > that are not a part of the OpenBSD ports tree.) > > -- > <[EMAIL PROTECTED]> -- Christopher Maujean IT Director, Premierelink Communications [EMAIL PROTECTED] http://www.premierelink.com/ 541-344-8575x305 PGP: --------------------------------------------------------------- http://www.keyserver.net/ KeyID: EFAF4176 Fingerprint: 55E6 4DE1 D7D3 361E F265 C094 46F2 7B62 EFAF 4176 ---------------------------------------------------------------
