On Fri, 2002-11-01 at 14:16, Todd Lyons wrote: > There's a downside to it. Suppose some legitimate server sends you data > that the monitor considers to be a scan. All of a sudden your machine > is blocking that IP. What if that IP happened ot be your DNS servers, > or your mail server? It happens. You're creating a guaranteed Denial > of Service ... against yourself.
In the case of Portsentry, this can be true if you use the "canned" configurations that are already in the configuration file. However, it is possible to set Portsentry to watch nonstandard ports (individually and ranges) for scans and to tell it to ignore legitimate oft-used service ports (ftp/21, pop3/110, and so forth). It is possible (however unlikely) that a legitimate service request would originate from a machine also conducting an nmapfe port scan of, say ports 3000-65535. Just as an example. You can also target tcp, udp, or both, listing those port numbers individually or ranges thereof. > Blue skies... Todd L8r, LX -- °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° Kernel 2.4.18-6mdk Mandrake Linux 8.2 Enlightenment 0.16.5-11mdk Evolution 1.0.2-5mdk Registered Linux User #268899 http://counter.li.org/ °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com