[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Portsentry+IPChains
- Subject: RE: [cobalt-security] Portsentry+IPChains
- From: "Andy Brown" <andy.brown@xxxxxxxxxxxxx>
- Date: Mon, 30 Sep 2002 14:06:58 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
<snip>
Anyway this is a Raq4 (fully patched inc SHP).
ipchains (via pmfirewall) defaults to DENY all then ALLOW the services I am running.
Portsentry (-stcp, -sudp) is set to a Trigger of 1 (paranoid)
But because ipchains is denying packets the monitored ports do not trigger Portsentry, causing the Raq to go into overdrive when a full port sweep is happening. (I like to see what ipchains is upto so it is logging)
What I want is a default DENY policy but Portsentry to see the port scans and then drop the connections from that IP via ipchains.
What is the best way to acheive this ?
</snip>
Huh!! You're currently blocking stuff using ipchains (the best way) and want to stop using this to use a program which checks for ports, then ADDS them to your ipchains block rules when they do a scan???
Seems strange to me, why do you want to do it this way round? Just set the common types of attacks you get to non-logging so the logs don't fill up quickly.
Apart from that, you've got it spot on, ipchains is dropping packets at the best level. A better solution would be to get a hardware-based firewall to put in front of the machine, like a firebox or cisco kit, though i'm suspecting this isn't an option.
Regards,
Andy
andy@xxxxxxxxxx
http://www.raqpak.com/ <-- Raq/Qube unofficial PKGs and support advice