Re: [cobalt-security] Portsentry+IPChains

["peter" <peter@xxxxxxxxxxxxxxxxxxxxxx>]

> <snip>
> Anyway this is a Raq4 (fully patched inc SHP).
> ipchains (via pmfirewall) defaults to DENY all then ALLOW the services I
am running.
> Portsentry (-stcp, -sudp) is set to a Trigger of 1 (paranoid)
>
> But because ipchains is denying packets the monitored ports do not trigger
Portsentry, causing the Raq to go into overdrive when a full port sweep is
happening. (I like to see what ipchains is upto so it is logging)
>
> What I want is a default DENY policy but Portsentry to see the port scans
and then drop the connections from that IP via ipchains.
>
> What is the best way to acheive this ?
> </snip>
>
> Huh!! You're currently blocking stuff using ipchains (the best way) and
want to stop using this to use a program which checks for ports, then ADDS
them to your ipchains block rules when they do a scan???

Little bit more detail :
I would prefer portsentry to see the incomming scan after 2 or 3 ports, then
let ipchains DENY all from that particular IP, so to the attaker my box
seems dead as they will get no response at all from any port.

>
> Seems strange to me, why do you want to do it this way round? Just set the
common types of attacks you get to non-logging so the logs don't fill up
quickly.

Yes this seem the best option, turn off logging, as portsentry will still
log an attack, it just at the moment with a default DENY policy the logs
fill up with hundreds of ipaddress.xx.xx.xx : portnumber DENY etc.

Doing a portscan to the Raq I would prefer that the attacker did not know
what ports/services were open or closed.

Thanks for the advice.

Peter