On 6 Mar 2001, Paul J Collins wrote:
> I believe there is a way to get Portsentry to use ipchains to block
> IPs that are port-scanning you, which may be helpful.
how?
i think the portscanning tools have gotten more sophisticated eg
half-connects which will never be passed by the kernel to userspace
such as the nmap stealth scan. There are also other scans that use TCP
state to detect open ports without actually connecting, see the nmap
man page.
does portsentry packet snif, or does it just bind to every unbound
addr,port? if latter portsentry won't see those kinds of scans.
snort is a packet sniffer and so will pick these things up. (also
scans packets for known 'sploit attempts.. quite nifty).
--paulj
(course the easiest way to detect portscans is just to use your ears
and listen for inetd kicking off lots of different stuff.. :) )
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
