Re: [cobalt-security] PortSentry 2.0b1 Beta released

["Steve Werby" <steve-lists@xxxxxxxxxxxx>]

"Gerald Waugh" <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> I use to use portsentry but have given up on it. For one thing it keeps
> a bunch of ports open that I don't use anyway, so it's kind of like
entrapment
> you catch people trying to access ports on the machine that are not in use
> anyway.

Gerald, you can specify exactly which ports you want it to listen to.  By
allowing it to bind to ports that you don't use and would probably otherwise
block with IPCHAINS, iptables, etc. is that hopefully you'll catch a hacker
doing a port scan before they get to one of your active ports running real
services and automatically drop their traffic in your firewall.  BTW, IMO
it's a good idea to flush all of the IPs associated with scan attempts a
reasonable amount of time after they're added to the firewall.  If your
firewall rules become too cumbersome it starts to affect performance and
since most hackers are probably connecting from dynamic IPs on dialups or
rooted machines that aren't their own IMO in general there's little benefit
to keeping those offending IPs listed more than a day or two, by which time
the threat has probably passed.  You probably know this or have your own
mechanisms in place, just thought I'd share my opinion for anyone reading
this.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/