Re: 'mirror' with iptables

To: thomas lakofski <thomas@88.net>
Cc: Tim Haynes <debian@stirfried.vegetable.org.uk>, fadel@ferasoft.com.br, <debian-security@lists.debian.org>
Subject: Re: 'mirror' with iptables
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 14 Nov 2001 13:17:25 +0000
Message-id: <[🔎] 86eln11ogq.fsf@potato.vegetable.org.uk>
Reply-to: debian@stirfried.vegetable.org.uk
In-reply-to: <[🔎] Pine.LNX.4.40.0111141302580.24807-100000@io.88.net> (thomas lakofski's message of "Wed, 14 Nov 2001 13:08:22 +0000 (GMT)")
References: <[🔎] Pine.LNX.4.40.0111141302580.24807-100000@io.88.net>

thomas lakofski <thomas@88.net> writes:

[snip]
> snort (as you mention) good for detecting attacks on ports you must
> provide service on -- portsentry is just the one facet but the question
> was in re portscans.
> 
> > If you want to stop port-scans, use a proper firewall with DENY
> > (ipchains) or DROP (iptables) by default.
> 
> how does this stop the scanner from identifying open ports?

Why is a port open to a scanner's IP#, if not in order to be used?

> > Use either snort or, at a push, portsentry, to spot incoming packets
> > matching signatures of known exploits, for `cool, I dropped the packet
> > anyway' factor.
> 
> snort's flexresp is clever, yes... beats portsentry but considerably more
> maintenance.

Yes. For a better system, you have to do more work. <shrug> :)

~Tim
-- 
There's peat smoke rising                   |piglet@stirfried.vegetable.org.uk
>From the village chimneys                   |http://spodzone.org.uk/

Reply to:

Follow-Ups:
- Re: 'mirror' with iptables
  - From: thomas lakofski <thomas@88.net>

References:
- Re: 'mirror' with iptables
  - From: thomas lakofski <thomas@88.net>

Prev by Date: Re: 'mirror' with iptables
Next by Date: Re: 'mirror' with iptables
Previous by thread: Re: 'mirror' with iptables
Next by thread: Re: 'mirror' with iptables
Index(es):
- Date
- Thread