Gossamer Forum
Quote Reply
Portsentry
Does anyone use portsentry or hostsentry and if so how did you find it/them?
Quote Reply
Re: [Paul] Portsentry In reply to
Never heard of them. Have you tried any of the more standard linux port scanners?

memphis% apt-cache search scandetd
scandetd - Portscan detector for Linux.
memphis%

Seems to be pretty widespread.

- wil
Quote Reply
Re: [Paul] Portsentry In reply to
In Reply To:
Does anyone use portsentry or hostsentry and if so how did you find it/them?

Yes, I found it by someone telling me about it. To install it, I went right to the FreeBSD ports collection and it was up in no time.

[mbadolato @ mbadolato]$ ps aux|grep portsentry
root 46676 0.0 0.1 916 508 ?? Is 3Nov02 0:00.01 /usr/local/bin/portsentry -tcp
root 46678 0.0 0.1 916 508 ?? Is 3Nov02 0:00.00 /usr/local/bin/portsentry -udp

I had also gotten some good tips from FreeBSD Unleashed, for setting it up etc. I'm sure you can find some good info on the net

--mark
Quote Reply
Re: [Mark Badolato] Portsentry In reply to
I already installed it this morning, just wanted to know if anyone had had success with it Smile

When I said "found" I meant did you like it :)

The only slightly annoying thing I can see is that it is filling up my logs with things like:

Nov 15 07:12:20 paul kernel: Packet log: input DENY lo PROTO=6 207.230.62.136:34683 207.230.62.136:80 L=60 S=0x00 I=40060 F=0x4000

Last edited by:

Paul: Nov 15, 2002, 7:18 AM
Quote Reply
Re: [Paul] Portsentry In reply to
Can I ask what's wrong with just using ipchains or iptables?

- wil
Quote Reply
Re: [Mark Badolato] Portsentry In reply to
Hehe....
Quote Reply
Re: [Mark Badolato] Portsentry In reply to
Ooooo this works great. I just tried the following from a remote machine to the server with portsentry installed:

telnet my_ip 1

It told me connection refused as it should so I then checked my logs on the machine with portsentry installed and I saw:

Nov 15 07:56:49 paul portsentry[16826]: attackalert: Host xxxxxx has been blocked via wrappers with string: "ALL: xxxxx"
Nov 15 07:56:49 paul portsentry[16826]: attackalert: Host xxxxxx has been blocked via dropped route using command: "/sbin/ipchains -I input -s xxxxx -j DENY -l"
Nov 15 07:56:49 paul portsentry[16826]: attackalert: TCP SYN scan from host xxxxx/xxxxx to TCP port: 1 from TCP port: 40250

hehe...so I then tried the same telnet command again and it wouldn't let me connect at all. Cool!
Quote Reply
Re: [Wil] Portsentry In reply to
Quote:
Can I ask what's wrong with just using ipchains or iptables?


portsentry is a front end to those to make it easier to use. I find ipchains quite difficult to use, but iptables is really nice, and easy to script around.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Portsentry In reply to
iptables is built into the 2.4.x kernels and ipchains into 2.2.x right?

- wil
Quote Reply
Re: [Wil] Portsentry In reply to
Yup!

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Paul] Portsentry In reply to
In Reply To:
When I said "found" I meant did you like it :)

ayyyyyyy, and this is why I shouldn't touch a computer early in the morning. i have no comprehension skills..... sigh :)
Quote Reply
Re: [Mark Badolato] Portsentry In reply to
I have no memory either.....I actually said "find" not "found" Smile