Re: [cobalt-security] [RaQ3] Port Sentry

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Kevin,

> And here is the main reason I dislike portsentry: now your friend, who
> thought his portscan was doing you a favor, can no longer access your
> server (or at least some of its resources). Portsentry can't tell the
> difference between a malicious attack or a goofball's mistake. Its
> zero-tolerance for system administrators.

Exactly, so the person who implements Portsentry with IPChains needs to know 
his stuff, which I happen do do. Never locked myself out of any of the 
servers where I installed this measure.

I have a custom script running which flushes the IPchains rules after a 
certain ammount of time, so you neither end up with a large list of blocked 
IPs, nor will anyone be permanently blocked. So even if one of my customers 
decides to run nmap on the server, then he'll be locked out for a while and 
that'll serve him as friendly reminder not to try this stuff on this 
particular place.

> For a lot of hackers, portsentry makes very little difference - they can
> always come at your open services from another IP. There are other ways
> beyond a port scan to find out what services are running on your machine
> (your web site, network solutions database, email headers, etc).

There will never be a 100% certain way to stop intrusion attempts, sure. But 
with 40-90 portscans, sunrpc-script-kiddies and various UDP probes per week 
on my primary server I feel much safer with all the protections in place.

Having Portsentry as *only* protection in place won't do any good. It's just 
one of those lines of defense one might want to have.

-- 

Mit freundlichen Grüßen / Best regards

Michael Stauber

 Stauber Multimedia Design ____ Phone:  +49-6471-923812
 Hauptstrasse 31 ______  D-56244 Goddert ______ Germany
 SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM