Re: Port Sentry
From: "Rajkumar S." <email@example.com>
To: Roderick Cummings <firstname.lastname@example.org>
CC: debian <email@example.com>
Subject: Re: Port Sentry
Date: Sat, 2 Jun 2001 20:51:46 +0530 (IST)
On Sat, 2 Jun 2001, Roderick Cummings wrote:
> Now when portsentry detects a port scan it blocks the ip making the
I am not an expert in security, but some doubts.
Is it wise to block an ip just because it did a port scan?
What if s/he spoofs the ip and puts your ip as source address?
A rule in my input chain will drop any incomming packet claiming to be from
the localhost. (the routers to other networks will drop any incomming
packets claiming to be from my network as well).
Blocking the ip's might be a problem if say, someone takes control of one of
the servers at my customers site, but then the application would die and be
noticed. Although that would be a serious DOS attack, I'd much rather know
there is a problem and discover the system in the customer's network was
hacked, than continue to talk to it and process data from it. Unfortuneatly
the customers do have legitimate reasons to access the systems in my network
(several of which they actually own).
Get your FREE download of MSN Explorer at http://explorer.msn.com