Re: detecting portscanning
On Thu, May 24, 2001 at 03:47:33PM -0600, Tim Uckun wrote:
> >The problem with portsentry is that it binds to all the ports you are
> >watching, so people that are scanning actually see those ports open. It is
> >better to use snort, which will let you know that the scans have happened
> >without the attacker being aware.
> Although it binds to all the ports portsentry can blackhole the scanner as
> soon as it detects it with an IP chains rule. Once the user starts a scan
> they will be immediately blackholed and will never even complete the scan.
Don't do that unless you know what you are doing. If somebody fakes a
portscan coming from somewhere you really wouldn't want to blackhole (e.g.
your name server), you could lose bigtime. If you know what you're doing,
and understand the risks, then do whatever tickles your fancy. Just be
careful about suggesting potentially dangerous stuff.
#define X(x,y) x##y
Peter Cordes ; e-mail: X(email@example.com. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE