I would like to know what the list would think about implementing portsentry
Psionic was purchased by Cisco so the link referenced in the article above
will lead you to Cisco.
This is from the readme of portsentry:
PortSentry is part of the Abacus Project suite of tools. The Abacus
Project is an initiative to release low-maintenance, generic, and reliable
host based intrusion detection software to the Internet community. More
information can be obtained from http://www.psionic.com.
PortSentry has a number of options to detect port scans, when it finds one
can react in the following ways:
- A log indicating the incident is made via syslog()
- The target host is automatically dropped into /etc/hosts.deny
for TCP Wrappers
- The local host is automatically re-configured to route all
traffic to the target to a dead host to make the target system
- The local host is automatically re-configured to drop all
packets from the target via a local packet filter.
The purpose of this is to give an admin a heads up that their host is
being probed. There are similar programs that do this already (klaxon,
etc.) We have added a little twist to the whole idea (auto-blocking), plus
extensive support for stealth scan detection.
I think this would be a great tool to be implemented on a firewall
(obviously Cisco does as well). It's a fairly lightweight program so it
should not take up much room.
I would like to get some feedback on the subject