Hi,
Does anybody use port scan detectors in their Linux box? I'm running Linux Mandrake (kernel 2.6.3-7mdk default) and have been using portsentry-1.1 (see http://linux.cudeso.be/linuxdoc/portsentry.php ) for the past few months. However, I noticed that no devel work has taken place on it since cisco hid it away in 2003. So I'm thinking of ditching it and moving on to better ones. I had integrated it with the iptables firewall (so that it monitored a choice port and all the "danger ports" it listed in /etc/portsentry/portsentry.conf were forwarded by iptables to the choice port). Thus, if anybody tried to run a ddos or a port scan or a trojan phoning on those danger ports would trigger portsentry w/out it having to monitor them all separately as services (which I did not like) and the daemon would popup a warning message, and iptables would dynamically block the address of the miscreant (thought since that's probably spoofed, a cron job clears the blocklist it later on to prevent unnecessary bloating). I've been looking at psad (Port Scan Attack Daemon) at http://www.cipherdyne.com/psad/. This one is actively developed, and does not listen in on ports, but analyses iptables logs to detect port scans, unfortunately, the only way to warn me in real time is by email (so it seems). This is unlike portsentry, which allowed me to let it execute any command (like a popup) when triggered. I prefer this because I do not wish to run an MTA for email warnings (wanna run as few servers as possible). If anybody's used psad, can I configure it to execute a popup (like gmessage or artsmesage or something) instead of sending an email by an MTA ? Are there any other port scan detectors that can do this (PLEASE DON'T SAY SNORT!!!! IT SENDS SO MANY GARBAGE MESSAGES THAT IT DROVE ME CRAZY, not to mention configging it is hell)? Let me know of any experiences. Analabha ________________________________________________________________________ Analabha Roy Graduate Student Department Of Physics, University of Texas, 1 University Station C1600, Austin, Texas 78712-0264, United States emails: [EMAIL PROTECTED], Home Page: http://www.ph.utexas.edu/~daneel ________________________________________________________________________ _______________________________________________ Siglinux mailing list [EMAIL PROTECTED] http://machito.utacm.org/mailman/listinfo/siglinux
