thanks again.

i think i'm going to move portsentry to hosts behind the gateway - makes more sense 
considering the info you sent, and then look into snort/tripwire on the gateway (i 
actually have tripwire installed, i just haven't generated a new config db lately, 
since i've been messing around with my configs so much).  


> Redmond Militante <[EMAIL PROTECTED]> wrote:
> > hi
> > i've used portsentry on standalone workstations before with ipfilter setup as a
> > +firewall, and for some reason, now when i'm trying to use it on a ipf/ipnat
> > +gateway box, it's being really verbose about the ports it's binding to.  if i
> > +nmap a standalone workstation i have configured ipfilter/portsentry on, i don't
> > +get the huge list of ports that it's binding to...  i thought perhaps there was
> > +a config option to hide this information
> Redmond,
> There is a good article regrading using portsentry @
> http://www.sans.org/rr/intrusion/portsentry.php
> They talk about version 1 on Linux being able to monitor ports 
> using a socket instead of binding to a port, so this should 
> look different to an nmap scan. As to wheather or not FreeBSD 
> supports this feature, I do not know, Anyone out there chime in?
> >From the SANS article
> ----------------snip-----------------
> Example One ? Default configuration
> By default, the portsentry.conf is designed to listen and block 
> attacking hosts using TCP Wrappers. The default configuration 
> is set up to bind with some of the most commonly probed TCP ports 
> and UDP ports on a Unix system. If any attacking host scans or 
> makes an attempt to attach to one of the PortSentry bound ports, 
> PortSentry will instantly drop the attacking host into the 
> hosts.deny file, thus blocking _ALL_ traffic from the attacking 
> IP address. 
> ----------------snip-----------------
> What bothers me about this method of defense is the possibilty 
> of an attacker causing a DOS by spoofing their source scan IP 
> and causing your system to deny traffic from a vaild host like 
> your upstream DNS server.
> I have not worked with portsentry at all so, this default 
> behavior is probably not the optimum way to use this tool.
> Scanning is so common on the net that the gain from this 
> seems minimal on a gateway firewall, inside your LAN is 
> another story ;-)
> As to system integrity checking, I like to use Aide, 
> found in /usr/ports/security/aide but tripwire is 
> probably a more commonly used tool.
> Using a tight ipf firewall in conjunction with snort on 
> a gateway firewall is a common and well liked setup.
> Regards,
> Stephen Hilton
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-questions" in the body of the message

Attachment: msg18977/pgp00000.pgp
Description: PGP signature

Reply via email to