Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
thomas lakofski <email@example.com> writes:
> On Wed, 31 Jan 2001, Quietman wrote:
> > On Wed, Jan 31, 2001 at 12:54:41AM +0000, Quietman wrote:
> > > Excuse me if I'm missing the point, but what will this show other than
> > > any rules you already have in place?
> > And obviously, how many packets have been intercepted by that rule.
> If you read back in the thread you'll see that the point of contention was
> whether an admin could know what hosts had been blocked by
Given dynamic IPs, he can't, as hosts aren't associated with
particular IPs, but with randomly changing ones. For instance, a
homebrew ISDN router with an aggressive huptimeout (20s) will change
IPs comparatively fast, but still remain the same host.
> Equally one could reference the portsentry logs which will contain
> similar information.
Which is '32-bit-numbers' and nothing beyond.
> Adding appropriate accounting rules when blocking would let you know
> how many packets had been intercepted without vast effort.
You won't need accounting rules for that, because the linux kernel
packet filter keeps byte and packet counters for every rule (try
'ipchains -L -n -v' or a ride with ipchains(8)). But this cannot help,
because host <-> ip associations are dynmamic...
... but it's probably useless to try to explain this to you any
longer, as you aren't really interested technical details, more in
defending your position on the ladder, so that'll be it.