Re: ipchains vsv portsentry (Was: Attack Alert)

["Michael H. Warfield" <mhw wittsend com>]

On Sun, Oct 31, 1999 at 10:05:54AM +0100, Gustav Schaffter wrote:
> Chuck,

> I've seen lots of talk about portsentry.

> I have setup my ipchains so that any incomming traffic that is not
> explicitly ACCEPT'ed will in the last ppp rule be quietly DENY'ed.
> And logged.

> Please, enlighten me to what advantage portsentry would give over the
> ipchains logging in this matter.

	I can give you a few.  How about this.

	PortSentry gives you the added advantage of cutting off attackers
from legitimate services where they may come probing.  Someone poking at
my network finds that they can't even get to sendmail or web to begin
looking for holes there because PortSentry has reacted to their port
scan by cutting them off.  The advantage is not in notifying you.  The
advantage is in preempting a potential probe of other services.

	I don't trust the UDP or steath scanning modes of PortSentry
for reconfiguring my firewall since that leaves open the prospect
of spoofed denial of service attacks.

	I filter everything through an IPChains based firewall with
PortSentry running on top of that.  You can also add spf on top of
the resulting reactive firewall to add stateful filtering to block
FIN scans and such.

> Best regards
> Gustav

	[...]

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw WittsEnd com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!