[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Portsentry+IPChains

Subject: Re: [cobalt-security] Portsentry+IPChains
From: Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 30 Sep 2002 10:18:03 -0400 (EDT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Mon, 30 Sep 2002, peter wrote:

> I know this has been covered many times before but, cannot find a good point of reference.
>
> Anyway this is a Raq4 (fully patched inc SHP).
> ipchains (via pmfirewall) defaults to DENY all then ALLOW the services I am running.
> Portsentry (-stcp, -sudp) is set to a Trigger of 1 (paranoid)
>
> But because ipchains is denying packets the monitored ports do not trigger Portsentry, causing the Raq to go into overdrive when a full port sweep is happening. (I like to see what ipchains is upto so it is logging)
>
> What I want is a default DENY policy but Portsentry to see the port scans and then drop the connections from that IP via ipchains.
>
> What is the best way to acheive this ?
>
> The only way I can think is re-open all the Portsentry monitored ports via ipchains, but this seems a bit daft.
>

ipchains logs to /var/log/kernel

Gerald
--
http://frontstreetnetworks.com | http://raqware.com
Front Street Networks LLC  | Phone: +1 203-785-0699
229 Front Street, Ste. C, New Haven, CT. 06513-3203

References:
- [cobalt-security] Portsentry+IPChains
  - From: peter

Prev by Date: RE: [cobalt-security] Portsentry+IPChains
Next by Date: Re: [cobalt-security] Portsentry+IPChains
Previous by thread: [cobalt-security] Portsentry+IPChains
Next by thread: RE: [cobalt-security] Portsentry+IPChains

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index