Does anyone use portsentry or hostsentry and if so how did you find it/them?
Nov 15, 2002, 5:19 AM
Veteran / Moderator (4108 posts)
Nov 15, 2002, 5:19 AM
Post #2 of 12
Views: 7951
Nov 15, 2002, 6:53 AM
Veteran (1509 posts)
Nov 15, 2002, 6:53 AM
Post #3 of 12
Views: 7955
Yes, I found it by someone telling me about it. To install it, I went right to the FreeBSD ports collection and it was up in no time.
[mbadolato @ mbadolato]$ ps aux|grep portsentry
root 46676 0.0 0.1 916 508 ?? Is 3Nov02 0:00.01 /usr/local/bin/portsentry -tcp
root 46678 0.0 0.1 916 508 ?? Is 3Nov02 0:00.00 /usr/local/bin/portsentry -udp
I had also gotten some good tips from FreeBSD Unleashed, for setting it up etc. I'm sure you can find some good info on the net
--mark
Nov 15, 2002, 7:18 AM
Veteran (19537 posts)
Nov 15, 2002, 7:18 AM
Post #4 of 12
Views: 7955
I already installed it this morning, just wanted to know if anyone had had success with it
When I said "found" I meant did you like it :)
The only slightly annoying thing I can see is that it is filling up my logs with things like:
Nov 15 07:12:20 paul kernel: Packet log: input DENY lo PROTO=6 207.230.62.136:34683 207.230.62.136:80 L=60 S=0x00 I=40060 F=0x4000
When I said "found" I meant did you like it :)
The only slightly annoying thing I can see is that it is filling up my logs with things like:
Nov 15 07:12:20 paul kernel: Packet log: input DENY lo PROTO=6 207.230.62.136:34683 207.230.62.136:80 L=60 S=0x00 I=40060 F=0x4000
Nov 15, 2002, 7:59 AM
Veteran (19537 posts)
Nov 15, 2002, 7:59 AM
Post #7 of 12
Views: 7882
Ooooo this works great. I just tried the following from a remote machine to the server with portsentry installed:
telnet my_ip 1
It told me connection refused as it should so I then checked my logs on the machine with portsentry installed and I saw:
Nov 15 07:56:49 paul portsentry[16826]: attackalert: Host xxxxxx has been blocked via wrappers with string: "ALL: xxxxx"
Nov 15 07:56:49 paul portsentry[16826]: attackalert: Host xxxxxx has been blocked via dropped route using command: "/sbin/ipchains -I input -s xxxxx -j DENY -l"
Nov 15 07:56:49 paul portsentry[16826]: attackalert: TCP SYN scan from host xxxxx/xxxxx to TCP port: 1 from TCP port: 40250
hehe...so I then tried the same telnet command again and it wouldn't let me connect at all. Cool!
telnet my_ip 1
It told me connection refused as it should so I then checked my logs on the machine with portsentry installed and I saw:
Nov 15 07:56:49 paul portsentry[16826]: attackalert: Host xxxxxx has been blocked via wrappers with string: "ALL: xxxxx"
Nov 15 07:56:49 paul portsentry[16826]: attackalert: Host xxxxxx has been blocked via dropped route using command: "/sbin/ipchains -I input -s xxxxx -j DENY -l"
Nov 15 07:56:49 paul portsentry[16826]: attackalert: TCP SYN scan from host xxxxx/xxxxx to TCP port: 1 from TCP port: 40250
hehe...so I then tried the same telnet command again and it wouldn't let me connect at all. Cool!
Nov 15, 2002, 10:44 AM
Administrator (9387 posts)
Nov 15, 2002, 10:44 AM
Post #8 of 12
Views: 7901
Quote:
Can I ask what's wrong with just using ipchains or iptables?portsentry is a front end to those to make it easier to use. I find ipchains quite difficult to use, but iptables is really nice, and easy to script around.
Cheers,
Alex
--
Gossamer Threads Inc.