Does Portsentry make sense if there is a packet filter?

Hello,

I've just set up some new (Debian 3.0 GNU/Linux) servers, and did so as
I always do, but this time I thought maybe adding Portsentry is not a
bad idea.

The thing is: On these machines I also have, like always, installed some
iptables rules, in order to only present those ports to the outside that
should be publicly accessible.

E.g. on one server, which is meant to serve web pages, I opened only
port 80 to the outside, things like SSH are only allowed from my
office's IP, everything else is DROPed.

Well, my question is, does Portsentry make sense at all in this case?
Because it binds to all those ports and waits for scans, which is great,
but due to my packet filter, there will never be a packet that reaches
those ports.

Wouldn't the Right Thing to do be enabling logging via iptables?

Thanks in advance,

--
Manuel Kiessling

Manuel Kiessling wrote:

> Hello,
>
> I've just set up some new (Debian 3.0 GNU/Linux) servers, and did so as
> I always do, but this time I thought maybe adding Portsentry is not a
> bad idea.
>
> The thing is: On these machines I also have, like always, installed some
> iptables rules, in order to only present those ports to the outside that
> should be publicly accessible.
>
> E.g. on one server, which is meant to serve web pages, I opened only
> port 80 to the outside, things like SSH are only allowed from my
> office's IP, everything else is DROPed.
>
> Well, my question is, does Portsentry make sense at all in this case?
> Because it binds to all those ports and waits for scans, which is great,
> but due to my packet filter, there will never be a packet that reaches
> those ports.
>

Portsentry will only see traffic on the ports that you've made available
publicly.

> Wouldn't the Right Thing to do be enabling logging via iptables?
>

Yes, rather than DROP you can LOG, but as there is not really much wrong
with port scanning - (most ISPs ignore port scanning acitivty) - you might
want to check out an IDS such as snort.

> Thanks in advance,
>

Giles Coochey wrote:
> Manuel Kiessling wrote:
>
>
>>Hello,
>>
>>I've just set up some new (Debian 3.0 GNU/Linux) servers, and did so as
>>I always do, but this time I thought maybe adding Portsentry is not a
>>bad idea.

Where did you get a copy of portsentry? I thought Cisco bought the
company that made portsentry and it was no longer downloadble.

>>The thing is: On these machines I also have, like always, installed some
>>iptables rules, in order to only present those ports to the outside that
>>should be publicly accessible.
>>
>>E.g. on one server, which is meant to serve web pages, I opened only
>>port 80 to the outside, things like SSH are only allowed from my
>>office's IP, everything else is DROPed.
>>
>>Well, my question is, does Portsentry make sense at all in this case?
>>Because it binds to all those ports and waits for scans, which is great,
>>but due to my packet filter, there will never be a packet that reaches
>>those ports.

I am sure there are ports you have not blocked from incomming/outgoing.
You should not block higher ports as connects to your httpd server will
be from high ports to your port 80. So, most ports above 1024 might be
open. And since many progs. run bound to upper ports like 31337, it
might be very difficult to block all ports from incoming/outgoing on
higher ports. Total security, at least to me, dictates a need for some
monitoring of higher ports.

>
> Portsentry will only see traffic on the ports that you've made available
> publicly.
>
>
>>Wouldn't the Right Thing to do be enabling logging via iptables?
>>
>
>
> Yes, rather than DROP you can LOG, but as there is not really much wrong
> with port scanning - (most ISPs ignore port scanning acitivty) - you might
> want to check out an IDS such as snort.

About port scanning being wrong: Port scanning is most likely the first
thing an attacker does before trying to hit the real ports of interest.
So, I think detection of port scanning is important in some phase of
network security.
>
>>Thanks in advance,
>>
>
>

"Randy Ramsdell" <me@somewhere.else> wrote in message
news:p5CdnVEVVe6EN0nd4p2dnA@comcast.com

> Where did you get a copy of portsentry? I thought Cisco bought the
> company that made portsentry and it was no longer downloadble.

http://sourceforge.net/projects/sentrytools/


--
use hotmail for email replies