Re: [cobalt-security] PortSentry 2.0b1 Beta released

[Mike Vanecek <clist.mtv@xxxxxxxxxxxx>]

On Thu, 11 Apr 2002 13:18:19 -0400, "Steve Werby" <steve-lists@xxxxxxxxxxxx>
wrote:


:>Are you using IPCHAINS to block the IPs, your router or something else?  How
:>many IPs or subnets are you blocking at any given time and do you find that
:>affects performance?  My philosophy is generally to only block IPs for a
:>short period of time (hours or days).  I base that on my experience that
:>most portscans and hacking attempts are from dialup IPs or rooted machines
:>so the threat from those IPs after a short period of time seems to be much
:>less.  Any thoughts?

The below is best viewed with fixed font.

My scheme is dynamic depending on the amount of activity. A full scan gets you
in my firewall. A port 22 scan gets you in my firewall (I do ssh on a
different port). A port 21 scan gets you watched. Ever increasing problems
from a range gets the range blocked. No activity for a while gets you removed.
As you can see below, some items could be removed since the activity level
seems to have gotten quiet while others are still quite active. I handle all
this with portsentry (via portsentry.init). My portsentry config parameters
and portsentry.init definitions follow the ipfwadm list (Qube2 does not have
ipchains; however, I use the same scheme with ipchains on other boxes). I
modify portsentry.init based on the activity I monitor in the log and
periodically restart portsentry. The following is probably more than you
wanted, but it was easier to show what I was doing than to describe it.

I have edited the list to only show items of interest to the discussion. I
last restarted portsentry about 2 weeks ago. My last attack was from a local
security test machine which my portsentry locked out of my box immediately.