Re: counteracting an attack?
On Sat, Feb 17, 2001 at 08:34:25PM +0100, Erich Schubert wrote:
>
>
> A nice tool for such things is "portsentry".
> I use it on one server of mine: if someone does a portscan on the
> machine, the firewall goes up for that IP and blocks anything except
> ssh.
> (and i get a sms notfication)
How do you combine your firewall with portsentry. It seems to me
that a good firewall has a default drop policy, so probes and
scans will be blocked by the firewall, and never reach portsentry.
The goal is reached, bad guys stay out, but I'd prefer to somehow
make portsentry check the data as well. I prefer to know if
someone scanned my network. Most of the information can be read
from the firewall logs, but it would require a big bunch of
scripts (pretty much rewriting portsentry) to see the big picture
with many scans.
A solution might be to run portsentry on a box outside my firewall,
but for me thats not an option.
Another possibility would be to forward all packets that would have
been dropped, to a machine inside my firewall, and check them their.
This doesn't sound very good to me either. Anyone has some thoughts
on this (combining a firewall with portsentry (or snort))?
--
Casper Gielen
--
People just generally like to disagree.
Bill Joy
Reply to: