On Sunday 22 July 2001 16:24, you wrote:
> Ok Loossee. Splain it to me. The part I don't get is: How does portsentry
> see any packets at all if my basic policy is DENY? I.e., the firewall (in
> this case done with ipchains via pmfirewall) soaks up all packets and
> silently discards them. So how does portsentry ever get to think that
> *anything* is ever trying to probe me?
My portsentry doesn't ever pick up anything for the same reason that you are
describing - the packet filter (iptables) drops the packets upon receipt.
However, if your firewall does let anything through, and portsentry can pick
those packets up, then you will know about it. As someone on the list pointed
out not that long ago, defense in depth is a good thing - if your firewall
somehow lets things through, then you've got portsentry. Then run an IDS like
snort to examine packet payload for people trying things like buffer
overflows. If these three things let something through, then you should still
have disabled everything you don't need. What you do run should (if feasible)
be using TCP wrappers and other forms of access control. That's four or five
different security strategies incoming packets have to beat in order to do
damage - much more secure than one or two or three strategies, because you
can't be burned by just one configuration error or a cracker being clever
only once.
Jeff
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
