[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: counteracting an attack?

> How do you combine your firewall with portsentry. It seems to me
> that a good firewall has a default drop policy, so probes and
> scans will be blocked by the firewall, and never reach portsentry.

That's correct; so i open the ipchains firewall for "trap ports".

> The goal is reached, bad guys stay out, but I'd prefer to somehow
> make portsentry check the data as well. I prefer to know if
> someone scanned my network. Most of the information can be read
> from the firewall logs, but it would require a big bunch of
> scripts (pretty much rewriting portsentry) to see the big picture
> with many scans.

For that i use logcheck and do log as few as possible.

> A solution might be to run portsentry on a box outside my firewall,
> but for me thats not an option.

Well with ipchains and no separate hardware firewall this is no problem.

> Another possibility would be to forward all packets that would have
> been dropped, to a machine inside my firewall, and check them their.
> This doesn't sound very good to me either. Anyone has some thoughts
> on this (combining a firewall with portsentry (or snort))?

I do not have a real firewall, so i can't tell you solutions for this.
But i've stopped caring much about script kiddies scanning my network;
it happens too often and i can't do anything about it but log...

Greetings,
Erich
Reply to: