[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Portsentry+IPChains

Subject: RE: [cobalt-security] Portsentry+IPChains
From: "Andy Brown" <andy.brown@xxxxxxxxxxxxx>
Date: Tue, 1 Oct 2002 13:13:46 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

<snip>
Little bit more detail :
I would prefer portsentry to see the incomming scan after 2 or 3 ports, then
let ipchains DENY all from that particular IP, so to the attaker my box
seems dead as they will get no response at all from any port.
</snip>

Hi Peter,
Think I have an understanding of what you're trying now,
i'd suggest this:
setup your firewall again, and this time leave out 3 other random port numbers in the privileged range. (obviously not ones already in use for any services you run)
e.g. 540, 643, 1080 on TCP.

Then make sure portsentry listens on those three IPs by adding them to the portsentry.conf file (These are there by default on the middle 'aware' line in the portsentry.conf)

You're then getting the best of both worlds, where your ipchains is doing the real hard work generally blocking, but if a portscan comes in, portsentry should spot it happening on your 3 random port numbers and block the IP doing the attacking.

Hope that achieves your goal!

Regards,

Andy
andy@xxxxxxxxxx
http://www.raqpak.com/ <-- Raq/Qube unofficial PKGs and support advice

Prev by Date: [cobalt-security] solarspeed openssl package
Next by Date: Re: [cobalt-security] OT: SSL Certs
Previous by thread: Re: [cobalt-security] Portsentry+IPChains
Next by thread: [cobalt-security] solarspeed openssl package

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index