[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] [RaQ3] Portsentry's raison d'etre (used to be Port Sentry)

Subject: RE: [cobalt-security] [RaQ3] Portsentry's raison d'etre (used to be Port Sentry)
From: "Tony" <isplists@xxxxxxxxxxxx>
Date: Fri, 8 Jun 2001 18:54:11 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

>>> And the portsentry alternative to deal with 20+ scans per
>>day is....?
>>
>>Good host-based IDS, updated patches, a hardened server, and
>>a vigilant
>>admin.
>
>No doubt you are right. However, Portsentry's function isn't only to
>block IPs. It also alerts a vigilant admin to any number of suspicious
>activities that go on. Whereas Portsentry was not designed to be nor
>should be the ONLY deterrent against h4cker5, it can certainly be a
>valuable time-saver for some of those vigilant admins, who have little
>time as it is to read through milions of lines of log files every day.
>(Yes, I exaggerate. But that's really what it feels like.)
>
>>> Are you suggesting that running without Portsentry is
>>better than running
>>with it?
>
>Therefore, I conclude, running Porsentry is better than not running
>it.

Exactly. I don't think anyone on this thread expected to run JUST 
PortSentry then go back to la-la land and forget about security. 
My servers are diligently patched, cgi's are monitored, ipchains is
implemented, logcheck sends me a report regularly and I find it much
easier to be vigilant with these tools helping me. To just blanket announce
that one doesn't like a tool like Portsentry and that it shouldn't be
used is a dis to the programs authors and to the professionals who've
recommended it as PART of a security plan. 

Another dis I recently ran across was a "old-wise one" proclaiming on 
his security dissertation website that old pro Administrators hated getting scan
reports and usually just tossed them with no action. With an attitude
like that is it any wonder that the hackers/script kiddies are continuing to bring
down chunks of the Internet with their DoS attacks etc with impunity? 

Sending a short professional heads-up scan report to the admins of public servers
that have obviously been hacked and who's network resources are being
used for intrusive scanning (finding more zombies to enlist for their DoS attacks)hopefully helps 
stem the tide a little bit. 
This week alone I alerted at least 5 corporate IT admins, 2 FEDERAL gov agencies , 3 .edu's, a US Army dial-up admin, and
a handful of SOHO server owners that their machines/networks were compromised. 
Their servers were taken off line and most later confirmed that they did indeed have a problem.

Tony

Follow-Ups:
- Re: [cobalt-security] [RaQ3] Portsentry's raison d'etre (used to be Port Sentry)
  - From: Kevin D

References:
- RE: [cobalt-security] [RaQ3] Portsentry's raison d'etre (used to be Port Sentry)
  - From: JK

Prev by Date: RE: [cobalt-security] [RaQ3] Portsentry's raison d'etre (used to be Port Sentry)
Next by Date: [cobalt-security] Reports stoped on 15 may 2001
Previous by thread: RE: [cobalt-security] [RaQ3] Portsentry's raison d'etre (used to be Port Sentry)
Next by thread: Re: [cobalt-security] [RaQ3] Portsentry's raison d'etre (used to be Port Sentry)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index