[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] PortSentry 2.0b1 Beta released
- Subject: Re: [cobalt-security] PortSentry 2.0b1 Beta released
- From: Mike Vanecek <clist.mtv@xxxxxxxxxxxx>
- Date: Thu, 11 Apr 2002 09:51:28 -0500
- Organization: anonymous
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Wed, 10 Apr 2002 09:40:47 -0400, Gerald Waugh
<gwaugh@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
:>On Wed, 10 Apr 2002, Chris Burton wrote:
:>> With that complaint you are probably running it in classic mode which will
:>> no longer exist (as stated above), it was fairly well documented on how to
:>> get it to not "listen" on unused ports but most people give up when it
:>> doesn't do what they want/expect (no offence intended).
:>>
:>
:>no offense taken,
:>I still don't see what good it can do, if the only ports I have open are
:>well used ports. Now if it could look at many unsuccessful logins or something
:>along those lines, then block that ip, it could be useful.
It is a matter of philosophy in terms of what you want to watch. I set
portsentry to watch everything except those ports I use. If it detects an
attack on an open port, it shuts that ip address down on all ports and logs
the attack using ipfilter. I can then scan my portsentry log and see exactly
who was trying to do what. I.e., I can see the ip address trying to connect to
port 21 or port 22. I then have the choice of putting that ip address (or
range) into a permanent ip firewall block. It has been rather interesting
because I now have a pretty good idea of where the problems are originating. I
have, as a result, blocked several countries. My thinking is that it is not
enough to protect, I want to know who and what is being scanned.
Mike.