[ previous ] [ next ] [ threads ]
 From:  "Tracy Phillips" <tracy dot phillips at weberize dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  PorSentry Feedback
 Date:  Wed, 22 Oct 2003 11:15:25 -0500


I would like to know what the list would think about implementing portsentry
into m0n0wall?




Psionic was purchased by Cisco so the link referenced in the article above
will lead you to Cisco.


This is from the readme of portsentry:


PortSentry is part of the Abacus Project suite of tools. The Abacus 

Project is an initiative to release low-maintenance, generic, and reliable

host based intrusion detection software to the Internet community. More

information can be obtained from http://www.psionic.com. 


PortSentry has a number of options to detect port scans, when it finds one

can react in the following ways:


            - A log indicating the incident is made via syslog()

            - The target host is automatically dropped into /etc/hosts.deny

              for TCP Wrappers

            - The local host is automatically re-configured to route all

              traffic to the target to a dead host to make the target system


            - The local host is automatically re-configured to drop all

              packets from the target via a local packet filter.



The purpose of this is to give an admin a heads up that their host is

being probed. There are similar programs that do this already (klaxon, 

etc.) We have added a little twist to the whole idea (auto-blocking), plus

extensive support for stealth scan detection.




I think this would be a great tool to be implemented on a firewall
(obviously Cisco does as well). It's a fairly lightweight program so it
should not take up much room.


I would like to get some feedback on the subject



Tracy Phillips