[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Portsentry+IPChains
- Subject: Re: [cobalt-security] Portsentry+IPChains
- From: Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 30 Sep 2002 10:18:03 -0400 (EDT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Mon, 30 Sep 2002, peter wrote:
> I know this has been covered many times before but, cannot find a good point of reference.
>
> Anyway this is a Raq4 (fully patched inc SHP).
> ipchains (via pmfirewall) defaults to DENY all then ALLOW the services I am running.
> Portsentry (-stcp, -sudp) is set to a Trigger of 1 (paranoid)
>
> But because ipchains is denying packets the monitored ports do not trigger Portsentry, causing the Raq to go into overdrive when a full port sweep is happening. (I like to see what ipchains is upto so it is logging)
>
> What I want is a default DENY policy but Portsentry to see the port scans and then drop the connections from that IP via ipchains.
>
> What is the best way to acheive this ?
>
> The only way I can think is re-open all the Portsentry monitored ports via ipchains, but this seems a bit daft.
>
ipchains logs to /var/log/kernel
Gerald
--
http://frontstreetnetworks.com | http://raqware.com
Front Street Networks LLC | Phone: +1 203-785-0699
229 Front Street, Ste. C, New Haven, CT. 06513-3203