[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Ports safe to close?
- Subject: RE: [cobalt-security] Ports safe to close?
- From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
- Date: Wed, 29 Aug 2001 14:05:20 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Nick Drage - Packet Pooh-Bah - wrote:
> Is this another case of Portsentry generating false alarms
> for remote scanning software? ( I mean socks, irc *and* rpc
> services ).
Oh Lord, spare me the hassles caused by PortSentry, please...
Although it's been much-vaunted by various people over the last eighteen
months or so, it is IMO a big fat hairy pain in the ass when it's not
configured in its' most useful 'utterly paranoid' mode. It should *never* be
configured to actually hold ports open, it should be configured in 'stealth'
mode. That way it doesn't actually listen for connections on the ports
themselves, it uses the raw packet driver to examine each packet as it
arrives.
That's why it's called 'stealth': you can't see it from outside.
To be honest (and I've said this repeatedly on this very list) tools like
PortSentry are useless, unless you:
1. switch off services you don't need
2. ensure the services you *do* need are running up-to-date/bugfix/patched
versions of software with no known vulnerabilities. Difficult, yes, but not
impossible.
3. secure the services which need securing. Use authentication. Use SSL/TLS
(hint: stunnel. Look it up). Use IPChains.
4. Familiarise yourself with your logfiles. Once you do, you can spot
anomalies almost immediately.
5. Keep a handy towel with you ;-)
> Yay, clue!
Why thankyou Nick, much appreciated :)
Graeme
--
Graeme Fowler
System Administrator
Host Europe Group PLC