BSD Today: Deploying Portsentry; What to do before the kiddies come callingJul 21, 2000, 14:57 (1 Talkback[s])
(Other stories by Clifford Smith)
[ Thanks to Jeremy C. Reed for this link. ]
"I figured I didn't need a security policy when I set up my first web server some years back. ... And then it dawned on me that by simply scanning subnets your average script kiddie didn't need to know what my site was all about at all. He or she could just scan en masse for open ports and an easy way in and then plant a root kit for laughs or turn my machine into a spam forwarding station. I got a copy of SATAN and ran it against my own site. I was astonished. Every port, that could be, was open and identifiable to anyone on the internet. (There were these problems with my logs, too, but that is another story.)"
"...I built the best firewall I could with a Pentium 90 and the zero knowledge I had at the time and bit my lip. Some time after that I got introduced to a splendid little program called Portsentry that did precisely what I needed -- it let me know immediately when someone probed my perimeter wire. As an added benefit, it could make the port being probed just vanish from the intruder's sight."
"Portsentry actually does a lot more than that. It will log the offender's IP address and can insert that address into the /etc/hosts.deny file. It can be configured to simply drop the offender into a black hole in real time, or run a retaliation script (highly not recommended). For folks that have no provision for the high dollar security services and those really expensive black boxes that a lot of companies sell -- this program used with its companion program, Logcheck, are a pretty good deal. When coupled with a good firewall running a packet filter like IPF, it is a pretty hard combination to beat. These items can remove most of the threat from the subnet booty bandit, or the generic script kiddie (if you're into the whole genteel approach to name-calling)."