Security Incidents mailing list archives

Re: traffic logging

From: jbaker () CANADAMORTGAGE COM (Jason Baker)
Date: Mon, 8 May 2000 15:05:10 -0700


On May 08, spiff wrote:

On Wed, 3 May 2000, Damian Gerow wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Humm...  I don't much care for PortSentry's retaliation sequence.  The
suggested action (blocking the route, adding offending host to
hosts.deny, setting up a firewall rule to deny all traffic coming from
the offending host) really turns me off - it creates a nice, simple DoS
on it's own.


I can confirm this to be true. In a recent audit, an nmap scan revealed
that the sysadmin had his home network 'protected' by PortSentry.


[snip]

This should not be taken as a critique of PortSentry, just as a caveat
regarding it's potential abuses.


In the Portsentry author's favor - he covers this very point repeatedly
on the website and the install instructions.  What you chose to do with
a host that pokes at the ports is entirely up to you.

--
                A computer, to print out a fact,
                Will divide, multiply, and subtract.
                        But this output can be
                        No more than debris,
                If the input was short of exact.
                                -- Gigo

Current thread:

Re: traffic logging Scott McClelland (May 01)
- <Possible follow-ups>
- Re: traffic logging Damian Gerow (May 03)
  - Re: traffic logging spiff (May 08)
    - Re: traffic logging Craig H. Rowland (May 08)
    - Re: traffic logging Jason Baker (May 08)
- Re: traffic logging Robert G. Ferrell (May 03)
  - Re: traffic logging Erich Meier (May 04)
- Re: traffic logging Damian Gerow (May 09)