Portsentry & iptables
After noticing some more portscans (fast, even in order -
nice snort logs though) I remembered portsentry.
Thanks to debian's apt-get I didn't take long to install & check it out
of course. I noticed in standard-mode, it binds to some ports and just
waits until somebody connects to them. The documentation also suggests NOT
to use the host-blocking feature upon detection of a portscan.
Wel, my questions are:
1) I noticed it was non-free: is there any free equivalent?
2) When one also runs a firewall (fully closed tcp range except
the few needed services ofcourse) people scanning the box
(if they use connect-scan that is) never even hit portsentry
because of the firewall.
In this case, could it be justified to use the blocking feature?
(In the event somebody bypasses the firewall and touches the
wrong port they still would be blocked out)
3) Has anybody some experience with this tool?
(like using the syn-mode, number of false blockings/alerts,
advanced mode, ...)
Dries
Reply to: