See the problem with portsentry and your ids doing things like that is this; if I am an attacker and I know you are doing that I can just spoof port scans from yahoo.com, your dns server, hotmail.com, blah blah blah, and basically cause a d0s attack. Since I don't really care about the response (just the action of sending packets is enough to do what I want) it is really easy (and kind of untraceable if I start chaining together proxys etc) to do this. So my thought is that whole concept is broken but if I had to choose the lesser of the 2 evils I would opt for the one that bans for a shorter time.
HTH, Leon -----Original Message----- From: Karel Jennings [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 08, 2001 2:38 PM To: [EMAIL PROTECTED] Subject: portsentry etc Hello, I was recently working on a remote server, playing with mysql. Anyway. I wanted to see what ports were open, and nmaped the box.:) They machine had portsentry running, and it dropped my connection *AND* put my ip in the hosts.deny. Isn't this a little bit harsh? Or is it good practise? My IDS at home bans for a couple days, but not infintely. that got me thinking.. what is the better practise? as a side note, I have my firewall/router blocking pings. That seems to have reduced the triggering the IDS.. is this just following the premise that the scriptkiddies won't touch what they can't see? Ciao! Karel
