hi thanks again.
i think i'm going to move portsentry to hosts behind the gateway - makes more sense considering the info you sent, and then look into snort/tripwire on the gateway (i actually have tripwire installed, i just haven't generated a new config db lately, since i've been messing around with my configs so much). redmond > Redmond Militante <[EMAIL PROTECTED]> wrote: > > > hi > > i've used portsentry on standalone workstations before with ipfilter setup as a > > +firewall, and for some reason, now when i'm trying to use it on a ipf/ipnat > > +gateway box, it's being really verbose about the ports it's binding to. if i > > +nmap a standalone workstation i have configured ipfilter/portsentry on, i don't > > +get the huge list of ports that it's binding to... i thought perhaps there was > > +a config option to hide this information > > Redmond, > > There is a good article regrading using portsentry @ > > http://www.sans.org/rr/intrusion/portsentry.php > > They talk about version 1 on Linux being able to monitor ports > using a socket instead of binding to a port, so this should > look different to an nmap scan. As to wheather or not FreeBSD > supports this feature, I do not know, Anyone out there chime in? > > > >From the SANS article > ----------------snip----------------- > Example One ? Default configuration > > By default, the portsentry.conf is designed to listen and block > attacking hosts using TCP Wrappers. The default configuration > is set up to bind with some of the most commonly probed TCP ports > and UDP ports on a Unix system. If any attacking host scans or > makes an attempt to attach to one of the PortSentry bound ports, > PortSentry will instantly drop the attacking host into the > hosts.deny file, thus blocking _ALL_ traffic from the attacking > IP address. > ----------------snip----------------- > > What bothers me about this method of defense is the possibilty > of an attacker causing a DOS by spoofing their source scan IP > and causing your system to deny traffic from a vaild host like > your upstream DNS server. > > I have not worked with portsentry at all so, this default > behavior is probably not the optimum way to use this tool. > > Scanning is so common on the net that the gain from this > seems minimal on a gateway firewall, inside your LAN is > another story ;-) > > As to system integrity checking, I like to use Aide, > found in /usr/ports/security/aide but tripwire is > probably a more commonly used tool. > > Using a tight ipf firewall in conjunction with snort on > a gateway firewall is a common and well liked setup. > > Regards, > > Stephen Hilton > [EMAIL PROTECTED] > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message >
msg18977/pgp00000.pgp
Description: PGP signature
