> <snip> > Anyway this is a Raq4 (fully patched inc SHP). > ipchains (via pmfirewall) defaults to DENY all then ALLOW the services I am running. > Portsentry (-stcp, -sudp) is set to a Trigger of 1 (paranoid) > > But because ipchains is denying packets the monitored ports do not trigger Portsentry, causing the Raq to go into overdrive when a full port sweep is happening. (I like to see what ipchains is upto so it is logging) > > What I want is a default DENY policy but Portsentry to see the port scans and then drop the connections from that IP via ipchains. > > What is the best way to acheive this ? > </snip> > > Huh!! You're currently blocking stuff using ipchains (the best way) and want to stop using this to use a program which checks for ports, then ADDS them to your ipchains block rules when they do a scan???
Little bit more detail : I would prefer portsentry to see the incomming scan after 2 or 3 ports, then let ipchains DENY all from that particular IP, so to the attaker my box seems dead as they will get no response at all from any port. > > Seems strange to me, why do you want to do it this way round? Just set the common types of attacks you get to non-logging so the logs don't fill up quickly. Yes this seem the best option, turn off logging, as portsentry will still log an attack, it just at the moment with a default DENY policy the logs fill up with hundreds of ipaddress.xx.xx.xx : portnumber DENY etc. Doing a portscan to the Raq I would prefer that the attacker did not know what ports/services were open or closed. Thanks for the advice. Peter _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
