Yup, On 27-Sep-01 Reto Inversini wrote:
Hi,
In what category would you put a tool like portsentry from the abacus project of psionic? According to my knowledge it is not a real firewall but it blocks all unused ports and if someone tries accessing a closed port, the attacker will be blocked immediatly. Does anyone has ever used this tool and if yes, does a portsentry-secured system have enough security for a webserver in the rough world of the internet?
portsentry is a portscan detector with an active component. It is able to quickly place an, say, ipchains DENY-rule or hosts.deny entry in your firewalling rules to immediately block access from and to an attacker's IP in case of a portscan/probe. I still use portsentry (in a scaled-down configuration) on a few of our hosts, with the blocking-feature enabled. However, there are some issues: - If you don't carefully administer portsentry's ignore-hosts file, you open your network/host to denial-of-service attacks. - portsentry's scan detection capabilities are limited; by carefully poking around on a portsentry-secured host an attacker could get the information he/she wants without triggering portsentry. - standalone, portsentry is definitely no firewalling solution, it's just an interesting add-on to a packet filter/stateful firewall. - some scanners (like nmap) may show an extended list of "filtered" ports if they hit a portsentry installation, thus informing the attacker about the presence of the tool. - portsentry's "feature" to send back messages to the attacker like "Your connection has been terminated, shove off!" (in non-advanced mode) may infuriate the attacker and provoke more sophisticated attacks. If you want to use portsentry, give it time to show its stuff, for about one or two months or so, without the route-dropping feature. It then just informs you about portscans/probes. However, the portscan detection capabilities of snort are now (as of version 1.8 and up) much better than portsentry's, and together with tools like guardian you could achieve the same log-and-drop functionality. Snort also offers useable intrusion detection, in a much more complete way than portsentry.
Regards reto ----- Original Message ----- From: Boris Lorenz
To: Sent: Thursday, September 27, 2001 11:34 AM Subject: RE: [suse-security] Are firewalls necessary? Hi,
On 27-Sep-01 Ray Dillinger wrote:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
Is this a public web server?
I've gone through the system and shut down all network services I'm not using -- for example squid came down, because I am not using proxy service at all, and ftpd came down because I don't want to provide ftp services. Rlogin, fingerd, telnetd, hylafax, etc, are also gone. No trusted hosts are defined for rlogin and friends to use anyway; the other boxes on my network are not considered "safe". [...]
Boris Lorenz