RE: How to avoid port scanners
Hi,
first of all, I did not say that portsentry should be used. I said that it
would be the same thing.
However as a quick reply said, that is the same as a denial of service.
(Almost that is).
A slow scan is not even caught by SNORT i believe, the only project I have
seen being a really good one to find slow scans would be SPADE. This however
if I am right is not a "to go product", with that said, I think there are a
few things missing in there.
I was looking at what you wanted, but came to a conclusion that there is not
really a way of doing this, as it is a part of the protocol. That was of
course only my own conclusion, which doesn't give you perfect answer.
Kind regards
Robert Karlsson
-----Original Message-----
From: Adam William Lydick [mailto:awlydick@bulldog.unca.edu]
Sent: Thursday, January 17, 2002 4:54 PM
To: robert_karllson@non.agilent.com
Cc: vegard@engen.priv.no; debian-firewall@lists.debian.org
Subject: RE: How to avoid port scanners
Would this have any effect on the more common case of attackers scanning
for a single open port? Or a slower distributed scan? I don't believe I've
ever seen a full portscan in my logs. They tend to be looking for the
latest BIND/FTP/HTTP flaw. And mostly win32 worms at that :)
Also - from the description on the website portsentry seems to work only
on inactive ports...
Adam
On Thu, 17 Jan 2002 robert_karllson@non.agilent.com wrote:
> Hi,
>
> that would be portsentry
> http://www.psionic.com/abacus/portsentry/
>
> I also believe that there is a built in function in iptables doing this.
>
> Kind regards
> Robert Karlsson
Reply to: