Re: [cobalt-security] IPChains Tool

[Ted Behling <tbehling@xxxxxxxxxxxxx>]

You made good points, Carrie, and I like the whois idea.  In addition, I
want to make sure people know that IPChains makes PortSentry a "backup"
ONLY if IPChains is denying all unbound, incoming ports <= 1024.  If you're
configured this way, couldn't people can still portscan you, since the
packets aren't getting past the kernel's IPChains code?

FWIW, I configure my servers' IPChains to implement most of the SANS
IPChains recommendations (can't find exact URL) and a few other things, but
it leaves unbound ports unblocked.  Then, I run PortSentry to listen for
portscans, and when it finds one, I have it run IPChains to block all
traffic to and from that IP.

At 04:01 PM 7/20/01 -0400, Carrie Bartkowiak wrote:
>As for using it with PortSentry - that's really a moot point. If 
>you've got IPChains running, then PortSentry is just a backup alarm 
>and reaction system. Someone will have to get through the IPChains 
>first in order to set off PortSentry. PortSentry can then do a number 
>of things, like tossing the offender's IP into the routing table, 
>handing it over to IPChains to block, or running an external command 
>(Zeffie showed me a wonderful idea to have the external command run a 
>whois on the offending IP and mail it to me).
>
>They seem to me to be a good system to run together. IPChains up 
>front and PortSentry as a backup measure, with LogCheck to show you 
>everything that's happening.


-------------------------------------------------------------------------
Ted Behling, Web Application Developer, Monarch Information Systems, Inc.

43 Folly Field Road, Unit 4, Hilton Head Island, SC 29928-5434
E-mail: mailto:TBehling@xxxxxxxxxxxxx
Phone/Fax: 1-800-842-7894    Local or Outside the USA: 1-843-842-7894
Cell Phone (urgent issues): 843-816-7895
Cell Phone E-mail: mailto:TedPhone@xxxxxxxxxxxxx (116 letter limit)
Web site: http://www.monarchis.net
-------------------------------------------------------------------------