I already have portsentry up and running fine on my system but I am also considering using a firewall. I dont want to use ipchains. Can anyone recommend a good firewall for linux and if so what effect will it have on portsentry?

Flynn

Some questions:

1) Why exactly are you opposed to 'ipchains'? I don't think you'll find any other kernel-level packet filters, unless you switch to a different OS or a non-2.2.x kernel.

2) Doesn't PortSentry rely on you having 'ipchains' installed to do it's automatic blocking of 'attackers'? This is, as I understand it, the coveted feature of PortSentry.

The concept of automatic blocking is majorly flawed, but I won't get into that right now (if you want to hear the theory against it, post a message.)

http://www.linuxnewbie.org/ubb/biggrin.gif twistah http://www.linuxnewbie.org/ubb/biggrin.gif

I'd recommend Bastille Interactive but it also uses ipchains.

Ok let me try to clarify..

I want an already designed firewall (etc,sinus firewall) as opposed to having to design one myself with ipchains. I just dont have a lot of time YET to devote to them. All I want to do if I can is just click a button that say block this port or do not block this port. I just dont have much time to really devote to ipchains.

Also yes portsentry does rely on ipchains for some of its functions. However it is not manditory that changes be made or add an ipchain configuration be set to get portsentry to work. This is what I want, a firewall that may or may not use ipchains but doesnt require me to make changes unless I want to.
Did that clear things up?

Flynn

firewall w/ portsentry? i think one of the good firewalls are configured with ipchains. the problem is, portsentry tries to open ports (that if u dont know)

try PMFirewall (ipchains)

-flar-

[This message has been edited by flar (edited 09 December 2000).]

A good firewall makes PS useless unless you intentionally open up holes in your firewall.

Most firewall builders are a frontend for ipchains. My recommendations are Firestarter and PMFirewall

Portsentry listens on ports, it does not necessarily open ports however. In classic and stealth modes it does. It has a list of ports, but to really simplify this let's just say you set modified the list so it only listens on port 42 and 69. It would open up those ports, now you can't connect to them cuz Portsentry doesn't have anything to connect to, but it listens for attempts and scans. Now, if it detects one, it can respond in a few methods, the most popular and useful creating an ipchains rule. Now, it's important to remember that you can have ipchains installed without having an ipchains firewall, an ipchains firewall requires ipchains but ipchains doesn't require a firewall. But, if for one reason or another ipchains isn't installed and you just don't want to fudge with it, you could set portsentry to drop using the "route" command which works as well, albeit not quite as secure as ipchains.. So, what is a good time to use portsentry and what isn't? If you have no ports accessible from the outside world, there is little reason to run portsentry. A firewall would be much more useful, this is my current setup, no services on the firewall box available to the outside. Now, if you did have a few services, portsentry becomes useful because as soon as they trip it they won't see anything after that point.. So, if they scan incrementally up by 5 and hit port 5 first, they won't see anything open such as a webserver on 80, even if you have one installed.

Using portsentry with a firewall. Simple enough, with an ipchains firewall you would simply allow packets in on whatever ports portsentry was listening on. Now, you can block output, firewall just needs to hear the scans, not reply to them. (Unless you want to use the uber-l33t banner feature.) It's not terribly complex, however I do not know of any preconfigured firewalls that were designed with portsentry in mind. Either take the dive and learn ipchains, or set it up so no services are available to the outside world.

-Brian

So since I will not be allowing others to telnet, ftp, or use any part of my system it is best to use a firewall. So I dont really need portsentry then.

Flynn

I use both PMFirewall and portsentry at the same time. The firewall for protection and portsentry for a heads up on any suspicios activity that can lead to a comprimizing situation. I use both at home and at work. Editing the portsentry config file for my needs and wants just for the heads up. Even though I dont have ftp and telnet open to the outside world I still have some individuals trying to as well as searching for an open port. It keeps my mind at ease knowing that if at any instance that for some odd reason that I unknowingly dont have all my potentual ports closed that portsentry will monitor and catch any and all activity. I say that due to we are only human and can over look something very easely. So all in all in my opinion it is better to be safe than sorry by using both a firewall and a monitor.

Just my .02 cents worth

Sokertes

portsentry listens to port? i think ur wrong. it opens up ur ports(have u try it?). what if i wont scan u and attack u right away instead. if ull see, PMfirewall w/ portsentry, portsentry try to opens ports that PMfirewall closes. right? so id rather use one of those, one at a time than running them both at the same time.

-flar-

[This message has been edited by flar (edited 09 December 2000).]

I think you're overlooking the fact that even though it's open - nothing is really running on it - no service to attack - it's not like opening up tens of "free backstage pages" http://www.linuxnewbie.org/ubb/smile.gif - it's kinda like a measure to take to see if you are being scanned in the first place - usually to "attack" something you would want to attack a service.. one guy in a previous post had it right - it's nice for when being scanned, if you have portsentry stop it early on and block the intruder, bam, seeya later =)

although, having ALL : ALL in hosts.deny is probably smarter.. but anyways.. :}

my 2 cents worth

[This message has been edited by Fandelem (edited 09 December 2000).]

Originally posted by flar:
portsentry listens to port? i think ur wrong. it opens up ur ports(have u try it?). what if i wont scan u and attack u right away instead. if ull see, PMfirewall w/ portsentry, portsentry try to opens ports that PMfirewall closes. right? so id rather use one of those, one at a time than running them both at the same time.

-flar-

[This message has been edited by flar (edited 09 December 2000).]

Have I ever used it? Actually, I wrote the NHF. What do you think the point of opening up ports is, to make your system look attractive for would-be hackers? Ofcourse not, the point is so that it can listen for attacks. As soon as it detects one, boom! Dropped via whatever method you set it up to (if you set it up to a method.) To the attacker, your computer just dissapears. So, if it scans other ports, even those with exposed services, it gets nothing back. Very cool concept.. As for an immediate attack, yes you have a good point here. If say you were planning to exploit wuftpd and knew that I was using it, and had the vulnerable version, you could mount your attack right off the bat. But, usually you don't know what version of ftpd, much less which ftpd I'm using and even less likely, what OS. A port scan is a good bit for acquiring information.. At any rate, you should still only run services you need and make sure they're all up to date, portsentry don't make you invincible.

As for running pmfirewall with portsentry, it would be pointless if pmfirewall is like most. The would be attacker will be blocked before they even hit portsentry, portsentry would never detect anything and it would be useless.. However, a nice custom set of ipchains rules would supplement a portsentry install nicely. http://www.linuxnewbie.org/ubb/wink.gif If you're running a firewall, you can get very nice logging from it without a supplemental app such as portsentry. I could be totally mistaken on pmfirewall though, in which case that last paragraph should be disregarded for the most part..

All PMFirewall is:

A bunch of config scripts filled with ipchains commands. nothing more - it's not some program like checkpoint firewall or anything like that - it's solely ipchains, just kinda newbie-friendly b/c of install script that asks you good questions and puts ipchains rules based on them..

i honestly use ipchains and portsentry - even if portsentry is redundant - and even if i have all : all in my hosts.deny already - it is only taking up 0.1 mem, so what the heck http://www.linuxnewbie.org/ubb/redface.gif)

what possible disadvantages could their be?

Ok thanks everyone. You guys have given me a really good idea of what i need to do. I think I'll go the firewall route and probably keep portsentry since it uses very few resourses. thanks again.

Flynn