Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
On 1 Feb 2001, Rainer Weikusat wrote:
> Given dynamic IPs, he can't, as hosts aren't associated with
> particular IPs, but with randomly changing ones. For instance, a
> homebrew ISDN router with an aggressive huptimeout (20s) will change
> IPs comparatively fast, but still remain the same host.
i'm quite aware of this.
> 'ipchains -L -n -v' or a ride with ipchains(8)). But this cannot help,
> because host <-> ip associations are dynmamic...
> ... but it's probably useless to try to explain this to you any
> longer, as you aren't really interested technical details, more in
> defending your position on the ladder, so that'll be it.
and i'm not sure what brings you to say this. looking back at your past
postings, your general tone is negative. i've not yet seen you say something
for the record, i've been working in infosec for over four years, and have
designed and built substantial Internet-based commerce systems for major
investment banks during this period. technical detail is my job.
i understand your points, and yes, i agree that a host could add blocked hosts
to a hosts running portsentry very quickly.
however, i've never had this happen to me, nor have i heard of it happening on
any security-related mailing list, or via any other source. dynamic-ip
activity of the kind you describe could be traced very easily to the
perpetrator, and could be dealt with via official channels easily too -- and it
could cost the attacker substantial money in telco charges for any persistent
portsentry is not a panacea -- it's just part of an overall strategy. but, i
do not agree with your initial assessment that it is 'worse than useless'.
each to their own, but you've not convinced me that my strategy is wrong, or
that your strategy (not that you've proposed an alternative) is right.
who's watching your watchmen?
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43