[CLUG] So, you think you're safe?
Donncha O Caoimh
donncha.ocaoimh at tradesignals.com
Mon Apr 3 11:07:20 IST 2000
Yup, it's a lot more than just a static firewall.
If you use the "atcp" option it listens in on a selected number of ports
(widely dispersed and you can change them yourself) and if anyone
connects to them their IP address is effectively blocked from your
machine. You can't get to them, and they can't get to you! Of course, if
a service is running on one of the ports it's ignored.
Portsentry is smart enough to handle different protocols
(http/ftp/telnet etc..) and works very well here in work and at home.
Read the docs on the Portsentry homepage for a lot better description!
Oh yeah, don't block ident. ftp servers, Exchange and IIS send ident
requests back to you and might not allow access if it's blocked.
Collins_Paul at emc.com wrote:
> > From: Donncha O Caoimh [mailto:donncha.ocaoimh at tradesignals.com]
> > I wrote a small article on Portsentry, it's available at
> > http://cork.linux.ie/articles/safe.php3
> I set up ipchains on my box at home when I found two telnet attempts in my
> log files. I've seen a few connect attempts, mostly to port 119 (ident, I
> think), from a machine that appears to be an Exchange server. Freaky.
> Does PortSentry offer anything above and beyond plain ipchains in terms of
> protection (obviously ipchains won't send you mail if there someone attempts
> to connect to you)?
> The stuff I have done is udp and tcp ports 0-1023 and 6000-6010 set to DENY;
> is there anything else I should be doing? (I'm thinking about suppressing
> ping replies.)
More information about the Cork