Re: [cobalt-security] Portsentry & UDP ports

["Marc Gear" <marcg@xxxxxxxxxxxxxx>]

> If you don't set up ipchains to save its results and reload them when
> the machine reloads, wouldn't a simple reboot effectively clear out
> the sin-bin?

Well of course, but restarting the server every 10 mins to clear out the
rules seems like a real bad way of having to do it :)

Of course i know what you mean, that it would be easy to clear them out, but
bear in mind that if you like you can set port sentry up pretty easily to
drop the route from said host, and IP, drop it in hosts.deny, and setup an
ipchains rule, (you could even set up up to launch a DoS on the host too if
you like, but please dont do stuff like this :P) its not so easy to set it
up to do these things and then stop doing them when the scan is finished in
about 10 mins.  Also programs like nmap can do a scan over 3 days if you set
it up that way - using as many hosts as you like, which will easily fool
portsentry.


> My question is, how much harder is my machine having to work
> when it's watching and filtering those packets on that port? Since
> it's a windoze thing, wouldn't it be safe to just drop the watching of
> that port?

Not really that much harder, you could setup an ipchains rule to drop any
packets to that port, and then stop portsentry listening on it. Packets wont
get though on that port, but you wont get alerts on it.

> I've noticed a slight slow-down in FTP transfer speed since I put the
> ipchains and 'really anal' rule into effect. Nothing major, but enough
> to make *me* notice.

Well pull the rule for a while and see if it makes a difference, if it
doesn't then you know it wasn't portsentry :)
--
/\/\ a R (