Re: checking security logs

[David Duffey <email@davidduffey.com>]

On Tue, Jan 23, 2001 at 11:45:28AM -0500, Gord Mc . Pherson wrote:
>   I'd also concur with a previous comment about 'portsentry', since it's possible to spoof an address and have portsentry block it.. it there for becomes an effective tool for a hacker to use as a DoS. For example, I could find out what your ISP's DNS servers are, spoof those addresses and have your portsentry block them. This would cut you off from the net until you manually corrected it.

Actually that will not happen to me, or anyone else installing the debian portsenty
package because that is NOT the way that debian ships portsentry by default, and there
is even a comment about spoofing in the portsentry config file:

# I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
# AGAINST THE HOST SCANNING YOU. TCP/IP is an *unauthenticated protocol*
# and people can make scans appear out of thin air. The only time it
# is reasonably safe (and I *never* think it is reasonable) to run
# reverse probe scripts is when using the "classic" -tcp mode.

granted this is in the section talking about the KILL_RUN_CMD, but it's pretty
obvious that this applies to other KILL_.*_CMDs also.

The only thing I use portsentry for is for information gathering, and that, is the
most important aspect of a securing a system (knowledge of the system). My "real"
security is in a less-dynamic way through rp_filter, ipchains, tcp-wrappers and
chroot'ed environments.

I only recommened portsentry as an informational tool (as the original poster requested)

-Duffey

-- 
David Duffey <email@DavidDuffey.com>                  1605 Hillcrest Dr Apt X30
             -----------------------                  Manhattan, KS 66502
                                                      (785)395-2630