Actually, a general question about firewalling/monitoring. I used to
use a program named “portsentry” which would monitor all of the ports
on a firewall, and in the event that it detected a port-scan, would do
two things. It would add the remote IP to the hosts.deny file, and it
would deny any further packets from that host destined to the
firewall. It was amazing to see the number of hosts that it would
catch in a 24 hour period.
I’ve decided to go with a “stateful” firewalling setup, where only
ports which have services running on them are open, and everything
else is denied by default, unless it’s a packet which is part of an
“existing” conversation.
Only problem now is, since all but about 5 ports are open, portsentry
no longer works, and can’t detect when someone’s port scanning me
anymore. So this means that they get a full listing of what services
are running, and can attempt to connect, login, do whatever.
I’m wondering what’s riskier… Having all ports open, but detecting
and dropping people as soon as a port scan is detected, or having only
useful ports open, not detecting when someone is port scanning you,
and trolling through your logs constantly to see if anyone’s doing
anything they shouldn’t be…
Does anyone have any thoughts on this?
:)
–
________________________________________
Adrian Chung -
adrian@enfusion-group.com
http://www.enfusion-group.com/~adrian
________________________________________
6:57pm up 2:05, 3 users - [rogue.enfusion-group.com]