> On Apr 8, 2023, at 9:01 AM, Andrea Venturoli <m...@netfence.it> wrote:
>
> On 4/8/23 16:40, Helge Oldach wrote:
>
>> I wonder why that would provide anything useful though.
>
> Main reason is to react to port scans or swiping attempts at well-known
> service.
> I.e. Someone (or some bot) connect to port 22, 25, 110, etc... when there's
> no such service available and he/she/it gets banned.
>
> I too am wondering whether this still makes sense today (after more that 20
> years since portsentry was conceived).
> Yey I'm currently tasked to replace it, with possible questions being asked
> later :)
From a security point of view, detecting when someone is running a portscan on
you is still useful. Especially when FreeBSD is running on a NAT box or a
router, so it has visibility for more than just its own host.
If I had to implement this today, I’d simply do it with ipfw log rules (for any
list of closed ports), and fail2ban, which could be used to block subnets after
any N attempts. As a bonus, you don’t need a daemon listening on the ports to
do this.
-Dan
