> A daemon sits running in the background listening to a special device > Are there any projects out there to do this right now. If not, is this > a good idea? If it is who would be a person/group that would be > qualified and have the time/interest to develop it.
Abacus Portsentry binds itself to ports and detects IP/UDP Scans and Hostsentry looks over login activity and issues countermesaures. Both can issue a wide range of (actually customizable) firewalling rules. I've been running portsentry for some years now and can say, you definitely have to exclude some hosts (which is configurable), lowering the security effect. Hostsentry isn't too far developed, but both come in handy together with Abacus Logcheck. Portsentry and Logcheck are in sid, but (surely because of the experimental state of it) Hostsentry isn't. Also I have not seen progress with it during the last years, staying version 0.2... If you want to start your own project, you'll have to guarantee _you_ can always login. Also, with dynamic IPs those rules should be outdated after some time. Portsentry for example writes entries to /etc/hosts,deny, which you'll have to clean out for yourself. This is ugly. But, with 2-3 XML Parsers for config files defining patterns, actions and rules (pattern->action), you could build a rather easy to maintain threat reaction system in Perl with little effort. If you're interested in building one, I am... Greetings, -- Thomas Ritter "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin
