Well, PortSentry will alert you via syslog of it's action, so you can view the operation as the software immediately reacting and then letting you take appropriate steps for a long-term solution. You can turn this feature off if desired, and in fact, I usually do.
One big issue is that it would be easy to spoof someone else's IP address in order to cause the server to block that person from accessing the machine. A very good DOS attack. (Imagine if the server in question was a DNS server. Remember, PortSentry may also create a black hole route for that host rather than just using tcp_wrappers.) Regards, Dustin > -----Original Message----- > From: Karel Jennings [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 08, 2001 1:38 PM > To: [EMAIL PROTECTED] > Subject: portsentry etc > > > Hello, I was recently working on a remote server, playing with mysql. > Anyway. I wanted to see what ports were open, and nmaped the box.:) They > machine had portsentry running, and it dropped my connection > *AND* put my ip > in the hosts.deny. Isn't this a little bit harsh? Or is it good > practise? My > IDS at home bans for a couple days, but not infintely. that got me > thinking.. what is the better practise? > > > as a side note, I have my firewall/router blocking pings. That > seems to have > reduced the triggering the IDS.. is this just following the > premise that the > scriptkiddies won't touch what they can't see? > > Ciao! > > Karel > > >
