Re: [cobalt-security] PortSentry 2.0b1 Beta released

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Gerald,

> I still don't see what good it can do, if the only ports I have open are
> well used ports. 

Well, the usage of Portsentry has always been controversial. It sure has 
benefits and backdraws.

I use a slightly modified version of Portsentry. Basically I went into the 
sources and ripped out all the uninformative report functionality like 
"Portsentry listening on UDP-Port XXX" which is generated when Portsentry 
starts. That info otherwise just clutters up the logfiles. I also use it only 
on half a dozend manually selected ports in UDP and TCP mode. That's 
configureable in the Portsentry configuration file.

The ports I use for that are generally ports not used by any service and it 
are also ports which I specifically opened up in the Firewall. That pretty 
much eliminates the accidentially blocking of people who just did something 
dumb.

But if someone runs a portscan over the box and reaches one of those "holes" 
in the Firewall behind which Portsentry is listening, then that person is 
instantly blocked as you'd might expect from running Portsentry.

One might argue why to pry holes into a perfectly fine firewall for that 
purpose, or if portscans are actually a good thing or bad. My own personal 
point of view is that whoever runs a portscan on one of my boxes is someone I 
rather keep at arms lenght and on the far side of the border router. 

Stand alone Portsentry won't do any good, but as just one of many layers in a 
well thought out security concept it can be a beneficial addition I'd say.

-- 

Mit freundlichen Grüßen / With best regards

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer