[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Portsentry and iptables

From: Devon <devon tuxfan homeip net>
To: redhat-list redhat com
Subject: Re: Portsentry and iptables
Date: Mon, 1 Oct 2001 22:05:35 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 01 October 2001 08:21 am, Bill Johnson wrote:
> After I sent my last reply, I looked at portsentry.conf.  Here is the
> section of port listings that is uncommented:
>
> # Use these if you just want to be aware:
> TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,
> 12345,12346,20034,31337,32771,32772,32773,32774,40421,49724,54320"
> UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,
> 32773,32774,31337,54321"

Just a guess on my part, but perhaps this is an older config file, and 
updating portsentry probably results in keeping the existing config, 
while installing the new one as portsentry.conf.rpmnew. For at least the 
last few updates, the config file looks like:
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,143,540,635,1080,..........<snip>
UDP_PORTS="1,513,635,640........<snip>

> Port 111 is included in that list.  However, I noted the following
> comment directly above this section in the config -
> # These port bindings are *ignored* for Advanced Stealth Scan Detection
> Mode.
>
> I am using the advanced stealth scan detection mode, and have it set up
> as follows:
>
> #
> ADVANCED_PORTS_TCP="1023"
> ADVANCED_PORTS_UDP="1023"
> #
>
> My understanding is that this means any port below that port is
> included? Why doesn't it show in the log file, though, that portsentry
> is binding to port 111?

It will listen to all ports below 1023 that do not have daemons 
listening, except...
There should also be a define in the config file for ports to ignore in 
advanced stealth mode. That is probably why your not seeing portsentry 
bind to port 111. From the config file:

# By specifying ports here PortSentry will simply not respond to
# incoming requests, in effect PortSentry treats them as if they are
# actual bound daemons. The default ports are ones reported as
# problematic false alarms and should probably be left alone for
# all but the most isolated systems/networks.
#
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="111,113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"

> Apologies for a lot of stupid questions, here.  I'm really just trying
> to figure out all this security stuff, and in light of the plethora of
> worms and virii out there, I'm just trying to keep my cable modem
> connection secure.

No problem at all. I'll certainly never fault anyone for attempting to 
learn, especially where security is concerned. ;)

- -D

- -- 

pgp key:  http://www.tuxfan.homeip.net:8080/pgpkey.txt

- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7uSDveMAUbzJhSVcRAuBHAJ47ppXBLswU0QxX0EjpQqNowMfWFwCfddMz
ykFJ8nC719TG/1afN7LJgdI=
=w+ba
-----END PGP SIGNATURE-----

References:
- Re: Portsentry and iptables
  - From: Bill Johnson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]