Re: counteracting an attack?
> How do you combine your firewall with portsentry. It seems to me
> that a good firewall has a default drop policy, so probes and
> scans will be blocked by the firewall, and never reach portsentry.
That's correct; so i open the ipchains firewall for "trap ports".
> The goal is reached, bad guys stay out, but I'd prefer to somehow
> make portsentry check the data as well. I prefer to know if
> someone scanned my network. Most of the information can be read
> from the firewall logs, but it would require a big bunch of
> scripts (pretty much rewriting portsentry) to see the big picture
> with many scans.
For that i use logcheck and do log as few as possible.
> A solution might be to run portsentry on a box outside my firewall,
> but for me thats not an option.
Well with ipchains and no separate hardware firewall this is no problem.
> Another possibility would be to forward all packets that would have
> been dropped, to a machine inside my firewall, and check them their.
> This doesn't sound very good to me either. Anyone has some thoughts
> on this (combining a firewall with portsentry (or snort))?
I do not have a real firewall, so i can't tell you solutions for this.
But i've stopped caring much about script kiddies scanning my network;
it happens too often and i can't do anything about it but log...
Greetings,
Erich
Reply to: